PHP
CVE-2026-40486
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
A Mass Assignment / Broken Object Property Level Authorization (BOPA) vulnerability in the User Preferences API allows any authenticated user (even those with the lowest privileges) to arbitrarily modify restricted financial attributes on their profile, specifically their hourly_rate and internal_rate.
Details
Kimai restrictively protects the hourly_rate and internal_rate parameters during standard GUI flow. Users lacking the hourly-rate role permissions cannot see or edit these fields via the standard Web Form (UserApiEditForm / UserEditType).
The vulnerability exists in the dedicated preferences API endpoint: src/API/UserController.php::updateUserPreference.
When a PATCH request is sent to /api/users/{id}/preferences, the endpoint iterates through the submitted JSON array and blindly applies the new values:
foreach ($request->request->all() as $preference) {
// ... validation omitted ...
if (null === ($meta = $profile->getPreference($name))) {
throw $this->createNotFoundException(\sprintf('Unknown custom-field "%s" requested', $name));
}
$meta->setValue($value); // <-- VULNERABILITY
}The underlying Role-Based Access Control logic (UserPreferenceSubscriber::getDefaultPreferences) accurately identifies that standard users lack the hourly-rate role, and flags the dynamically generated preference object as disabled ($preference->setEnabled(false)).
However, the updateUserPreference API endpoint entirely ignores this isEnabled() flag and forcefully saves the mutated object to the database natively via Doctrine ORM. This allows unauthorized accounts to manipulate the business-logic variables calculating their own financial earnings.
PoC
- Log into Kimai as an unprivileged, standard employee account (a user with absolutely no
rolesarray privileges). - Capture the
cookieor Session cookies. (In this example, the user's ID is2). - Send the following cURL request (or intercept via Burp Suite) targeting your own user ID:
curl -i -X PATCH "http://localhost:8001/api/users/2/preferences" \
-H "Content-Type: application/json" \
-H "cookie: <YOUR_STANDARD_USER_TOKEN>" \
-d '[
{
"name": "hourly_rate",
"value": "1337"
},
{
"name": "internal_rate",
"value": "1337"
}
]'- The server responds with
HTTP/1.1 200 OK. (Note: Thehourly_ratewill intentionally NOT appear in the JSON echo due toUser::getVisiblePreferencessanitizing output based on the same disabled flag). - If an Administrator organically views User 2's profile within Kimai, or if the user logs any new timesheets, the active and billed
hourly_rateapplied to their account will be confirmed as1337.
<img width="1542" height="1039" alt="user_account" src="https://github.com/user-attachments/assets/fff5e2da-d598-408d-8a01-784499ade844" /> <img width="1539" height="1037" alt="admin_account" src="https://github.com/user-attachments/assets/86a6e8c3-a97f-4be3-9f9f-2e23fad1d8a0" />
Impact
This is a Privilege Escalation and Business Logic Flaw impacting the core financial calculations of the application. An attacker with a standard user account can manipulate their own billing rate multipliers unbeknownst to administrators, resulting in fraudulent invoices, distorted timesheet exports, and unauthorized financial tampering.
Analysis
Summary
A Mass Assignment / Broken Object Property Level Authorization (BOPA) vulnerability in the User Preferences API allows any authenticated user (even those with the lowest privileges) to arbitrarily modify restricted financial attributes on their profile, specifically their hourly_rate and internal_rate.
Details
Kimai restrictively protects the hourly_rate and internal_rate parameters during standard GUI flow. Users lacking the hourly-rate role permissions cannot see or edit these fields via the standard Web Form (UserApiEditForm / UserEditType).
The vulnerability exists in the dedicated preferences API endpoint: src/API/UserController.php::updateUserPreference.
When a PATCH request is sent to /api/users/{id}/preferences, the endpoint iterates through the submitted JSON array and blindly applies the new values:
foreach ($request->request->all() as $preference) {
// ... validation omitted ...
if (null === ($meta = $profile->getPreference($name))) {
throw $this->createNotFoundException(\sprintf('Unknown custom-field "%s" requested', $name));
}
$meta->setValue($value); // <-- VULNERABILITY
}The underlying Role-Based Access Control logic (UserPreferenceSubscriber::getDefaultPreferences) accurately identifies that standard users lack the hourly-rate role, and flags the dynamically generated preference object as disabled ($preference->setEnabled(false)).
However, the updateUserPreference API endpoint entirely ignores this isEnabled() flag and forcefully saves the mutated object to the database natively via Doctrine ORM. This allows unauthorized accounts to manipulate the business-logic variables calculating their own financial earnings.
PoC
- Log into Kimai as an unprivileged, standard employee account (a user with absolutely no
rolesarray privileges). - Capture the
cookieor Session cookies. (In this example, the user's ID is2). - Send the following cURL request (or intercept via Burp Suite) targeting your own user ID:
curl -i -X PATCH "http://localhost:8001/api/users/2/preferences" \
-H "Content-Type: application/json" \
-H "cookie: <YOUR_STANDARD_USER_TOKEN>" \
-d '[
{
"name": "hourly_rate",
"value": "1337"
},
{
"name": "internal_rate",
"value": "1337"
}
]'- The server responds with
HTTP/1.1 200 OK. (Note: Thehourly_ratewill intentionally NOT appear in the JSON echo due toUser::getVisiblePreferencessanitizing output based on the same disabled flag). - If an Administrator organically views User 2's profile within Kimai, or if the user logs any new timesheets, the active and billed
hourly_rateapplied to their account will be confirmed as1337.
<img width="1542" height="1039" alt="user_account" src="https://github.com/user-attachments/assets/fff5e2da-d598-408d-8a01-784499ade844" /> <img width="1539" height="1037" alt="admin_account" src="https://github.com/user-attachments/assets/86a6e8c3-a97f-4be3-9f9f-2e23fad1d8a0" />
Impact
This is a Privilege Escalation and Business Logic Flaw impacting the core financial calculations of the application. An attacker with a standard user account can manipulate their own billing rate multipliers unbeknownst to administrators, resulting in fraudulent invoices, distorted timesheet exports, and unauthorized financial tampering.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-qh43-xrjm-4ggp