Titra Sensitive Configuration Exposure Vulnerability in Global Settings Publication

Vulnerability

A vulnerability in the Titra time tracking project, specifically in version 0.99.52, allows any authenticated user to access sensitive global settings through the 'globalsettings' Meteor publication. This publication lacks proper admin or role checks, enabling users to subscribe via DDP and receive confidential information such as API keys and secrets. At the time of publication, no public patch is available.

Impact

This vulnerability allows authenticated, non-admin users to retrieve all global settings, identify and collect API keys and secrets, and use the exposed credentials to access third-party services.

Added: May 4, 2026, 6:22 PM

Updated: May 4, 2026, 6:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

7.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

7.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Titra Sensitive Configuration Exposure Vulnerability in Global Settings Publication

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating