Skip to main content

PHP CVE-2026-40486

MEDIUM
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-04-15 https://github.com/kimai/kimai GHSA-qh43-xrjm-4ggp
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch released
Apr 16, 2026 - 02:30 nvd
Patch available
CVE Published
Apr 15, 2026 - 19:46 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Summary

A Mass Assignment / Broken Object Property Level Authorization (BOPA) vulnerability in the User Preferences API allows any authenticated user (even those with the lowest privileges) to arbitrarily modify restricted financial attributes on their profile, specifically their hourly_rate and internal_rate.

Details

Kimai restrictively protects the hourly_rate and internal_rate parameters during standard GUI flow. Users lacking the hourly-rate role permissions cannot see or edit these fields via the standard Web Form (UserApiEditForm / UserEditType).

The vulnerability exists in the dedicated preferences API endpoint: src/API/UserController.php::updateUserPreference.

When a PATCH request is sent to /api/users/{id}/preferences, the endpoint iterates through the submitted JSON array and blindly applies the new values:

php
foreach ($request->request->all() as $preference) {
    // ... validation omitted ...
    if (null === ($meta = $profile->getPreference($name))) {
        throw $this->createNotFoundException(\sprintf('Unknown custom-field "%s" requested', $name));
    }

    $meta->setValue($value); // <-- VULNERABILITY
}

The underlying Role-Based Access Control logic (UserPreferenceSubscriber::getDefaultPreferences) accurately identifies that standard users lack the hourly-rate role, and flags the dynamically generated preference object as disabled ($preference->setEnabled(false)).

However, the updateUserPreference API endpoint entirely ignores this isEnabled() flag and forcefully saves the mutated object to the database natively via Doctrine ORM. This allows unauthorized accounts to manipulate the business-logic variables calculating their own financial earnings.

PoC

  1. Log into Kimai as an unprivileged, standard employee account (a user with absolutely no roles array privileges).
  2. Capture the cookie or Session cookies. (In this example, the user's ID is 2).
  3. Send the following cURL request (or intercept via Burp Suite) targeting your own user ID:
bash
curl -i -X PATCH "http://localhost:8001/api/users/2/preferences" \
  -H "Content-Type: application/json" \
  -H "cookie: <YOUR_STANDARD_USER_TOKEN>" \
  -d '[
  {
    "name": "hourly_rate",
    "value": "1337"
  },
  {
    "name": "internal_rate",
    "value": "1337"
  }
]'
  1. The server responds with HTTP/1.1 200 OK. (Note: The hourly_rate will intentionally NOT appear in the JSON echo due to User::getVisiblePreferences sanitizing output based on the same disabled flag).
  2. If an Administrator organically views User 2's profile within Kimai, or if the user logs any new timesheets, the active and billed hourly_rate applied to their account will be confirmed as 1337.

<img width="1542" height="1039" alt="user_account" src="https://github.com/user-attachments/assets/fff5e2da-d598-408d-8a01-784499ade844" /> <img width="1539" height="1037" alt="admin_account" src="https://github.com/user-attachments/assets/86a6e8c3-a97f-4be3-9f9f-2e23fad1d8a0" />

Impact

This is a Privilege Escalation and Business Logic Flaw impacting the core financial calculations of the application. An attacker with a standard user account can manipulate their own billing rate multipliers unbeknownst to administrators, resulting in fraudulent invoices, distorted timesheet exports, and unauthorized financial tampering.

Analysis

Summary

A Mass Assignment / Broken Object Property Level Authorization (BOPA) vulnerability in the User Preferences API allows any authenticated user (even those with the lowest privileges) to arbitrarily modify restricted financial attributes on their profile, specifically their hourly_rate and internal_rate.

Details

Kimai restrictively protects the hourly_rate and internal_rate parameters during standard GUI flow. Users lacking the hourly-rate role permissions cannot see or edit these fields via the standard Web Form (UserApiEditForm / UserEditType).

The vulnerability exists in the dedicated preferences API endpoint: src/API/UserController.php::updateUserPreference.

When a PATCH request is sent to /api/users/{id}/preferences, the endpoint iterates through the submitted JSON array and blindly applies the new values:

php
foreach ($request->request->all() as $preference) {
    // ... validation omitted ...
    if (null === ($meta = $profile->getPreference($name))) {
        throw $this->createNotFoundException(\sprintf('Unknown custom-field "%s" requested', $name));
    }

    $meta->setValue($value); // <-- VULNERABILITY
}

The underlying Role-Based Access Control logic (UserPreferenceSubscriber::getDefaultPreferences) accurately identifies that standard users lack the hourly-rate role, and flags the dynamically generated preference object as disabled ($preference->setEnabled(false)).

However, the updateUserPreference API endpoint entirely ignores this isEnabled() flag and forcefully saves the mutated object to the database natively via Doctrine ORM. This allows unauthorized accounts to manipulate the business-logic variables calculating their own financial earnings.

PoC

  1. Log into Kimai as an unprivileged, standard employee account (a user with absolutely no roles array privileges).
  2. Capture the cookie or Session cookies. (In this example, the user's ID is 2).
  3. Send the following cURL request (or intercept via Burp Suite) targeting your own user ID:
bash
curl -i -X PATCH "http://localhost:8001/api/users/2/preferences" \
  -H "Content-Type: application/json" \
  -H "cookie: <YOUR_STANDARD_USER_TOKEN>" \
  -d '[
  {
    "name": "hourly_rate",
    "value": "1337"
  },
  {
    "name": "internal_rate",
    "value": "1337"
  }
]'
  1. The server responds with HTTP/1.1 200 OK. (Note: The hourly_rate will intentionally NOT appear in the JSON echo due to User::getVisiblePreferences sanitizing output based on the same disabled flag).
  2. If an Administrator organically views User 2's profile within Kimai, or if the user logs any new timesheets, the active and billed hourly_rate applied to their account will be confirmed as 1337.

<img width="1542" height="1039" alt="user_account" src="https://github.com/user-attachments/assets/fff5e2da-d598-408d-8a01-784499ade844" /> <img width="1539" height="1037" alt="admin_account" src="https://github.com/user-attachments/assets/86a6e8c3-a97f-4be3-9f9f-2e23fad1d8a0" />

Impact

This is a Privilege Escalation and Business Logic Flaw impacting the core financial calculations of the application. An attacker with a standard user account can manipulate their own billing rate multipliers unbeknownst to administrators, resulting in fraudulent invoices, distorted timesheet exports, and unauthorized financial tampering.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-40486 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy