Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage.
Details
All 8 team association endpoints in src/API/TeamController.php (lines 177, 201, 229, 252, 275, 298, 321, 339) use #[IsGranted('edit_team')] with a single argument. The web controller at src/Controller/TeamController.php:118 correctly uses #[IsGranted('edit', 'team')] with two arguments, passing the $team parameter as the subject. When edit_team is passed as the attribute, TeamVoter::supportsAttribute() returns false because it only recognizes view, edit, and delete. The voter abstains entirely. Only RolePermissionVoter fires, which checks the role-level permission without any entity-level ownership validation.
PoC
Authenticate as a user with edit_team permission who is NOT a member of Team 1
curl -X POST https://TARGET/api/teams/1/members/2 \
-H "Authorization: Bearer <API_TOKEN>" \
-H "Content-Type: application/json"Expected: 403 Forbidden (user is not ROLE_ADMIN/ROLE_SUPER_ADMIN, or member of Team 1)
Actual (pre-2.54.0): 200 OK, user added to Team 1
Impact
In default configuration, only ROLE_ADMIN and ROLE_SUPER_ADMIN have edit_team, and both roles already have irrevocable view_all_data access, making the missing check redundant. The vulnerability becomes exploitable if an administrator grants edit_team to a lower-privilege role (such as ROLE_TEAMLEAD) through the permissions UI. In that scenario, the lower-privilege user could modify any team's membership, customer assignments, project assignments, and activity assignments without being a member or teamlead of that team.
AnalysisAI
Kimai's Team API endpoints fail to validate entity-level ownership due to incorrect Symfony IsGranted attribute syntax, allowing users with the edit_team permission to modify any team regardless of membership. The vulnerability arises because API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing the TeamVoter to abstain and fall back to role-only permission checks. In default configurations this is unexploitable since only admins hold edit_team permission, but if administrators grant edit_team to lower-privilege roles (such as ROLE_TEAMLEAD) via the permissions UI, those users can modify team memberships, customer assignments, project assignments, and activity assignments for any team without authorization. No public exploit code or active exploitation has been identified.
Technical ContextAI
Kimai is a web-based time tracking application built with Symfony and PHP. The vulnerability stems from incorrect usage of Symfony's authorization attribute syntax in access control checks. Symfony's voter system uses a two-phase process: first checking if a voter supports the given attribute and subject, then voting on permission. The TeamVoter class only recognizes 'view', 'edit', and 'delete' attributes and requires a team entity as the subject parameter (e.g., #[IsGranted('edit', 'team')]). When the API endpoints use #[IsGranted('edit_team')] with a single string argument, the TeamVoter does not recognize 'edit_team' as a supported attribute and abstains from voting entirely. Only the RolePermissionVoter then evaluates the permission, checking if the user's role has the edit_team permission at the system level without any object-level ownership validation. The affected endpoints are located in src/API/TeamController.php at lines 177, 201, 229, 252, 275, 298, 321, and 339, which handle team member, customer, project, and activity associations. The correct web-based controller (src/Controller/TeamController.php:118) properly passes the team entity as the subject, enabling the TeamVoter to enforce entity ownership checks.
RemediationAI
Upgrade Kimai to version 2.54.0 or later, which corrects the IsGranted attribute syntax in all Team API endpoints from #[IsGranted('edit_team')] to #[IsGranted('edit', 'team')] with the team entity as the subject parameter. This restores the TeamVoter's ability to enforce entity-level ownership checks. Organizations unable to upgrade immediately should implement a compensating control by restricting the assignment of the edit_team permission through the permissions UI to only ROLE_ADMIN and ROLE_SUPER_ADMIN, preventing delegation of team edit capabilities to lower-privilege roles. This control is compatible with default Kimai deployments but limits administrative flexibility for teams requiring delegated team management; document and review this restriction during the upgrade planning process. Detailed guidance is available in the GitHub security advisory at https://github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcm.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28495
GHSA-jv9x-w4gm-hwcm