Kimai
CVE-2026-28685
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0.
AnalysisAI
Kimai versions prior to 2.51.0 lack proper customer-level access controls in the invoice API endpoint, allowing any user with the TEAMLEAD role to enumerate and read all invoices across the entire system regardless of customer ownership. Public exploit code exists for this authorization bypass vulnerability, which can lead to unauthorized disclosure of sensitive financial and customer data. A patch is available in version 2.51.0 and should be applied immediately.
Technical ContextAI
Classified as CWE-285 (Improper Authorization). Affects Kimai. Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0.
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 2.51.0.. Restrict network access to the affected service where possible.
Kimai is a web-based multi-user time-tracking application. Rated high severity (CVSS 7.2), this vulnerability is remotel
Kimai versions prior to 2.46.0 contain an overly permissive Twig sandbox configuration in the export functionality that
Kimai is a web-based multi-user time-tracking application. Rated medium severity (CVSS 6.5), this vulnerability is remot
Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into
A vulnerability was found in Kimai up to 2.15.0 and classified as problematic. Rated medium severity (CVSS 6.5), this vu
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-v33r-r6h2-8wr7