Kimai CVE-2026-49992
MEDIUMSeverity by source
Network-reachable GET endpoint; no attacker privileges needed; user interaction required (victim must visit malicious page); integrity impact is low as only authorization structure is modified, not data exfiltrated or destroyed.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2DescriptionCVE.org
Summary
Kimai 2.56.0 contains authenticated cross-site request forgery issues in its default team creation shortcuts for projects, customers, and activities. These endpoints are exposed through GET routes and directly create or reuse a Team, add the current user as teamlead, and bind the target object to that team.
As a result, an attacker can trick a logged-in user with the required permissions into visiting a malicious page and cause unauthorized changes to team, teamlead, and object-binding relationships. This is a real authorization-structure modification issue rather than a harmless UI shortcut.
Details
The issue affects at least the following routes:
GET /en/admin/project/{id}/create_teamGET /en/admin/customer/{id}/create_teamGET /en/admin/activity/{id}/create_team
Each of these routes is a GET endpoint, yet each performs persistent writes that alter authorization structure:
- create or reuse a
Team - add the current user as
teamlead - bind the target
Project,Customer, orActivityto that team
*A PoC was provided, but removed for security reasons.*
Impact
This vulnerability allows an attacker to remotely alter permission topology while the victim is logged in. A successful exploit can create or reuse a team, assign the victim as its teamlead, and bind a project, customer, or activity to that team without intentional user action.
The pre-requisite is, that the logged-in user already has access to manage permissions of the object in question.
Because these routes modify authorization structure rather than a simple personal preference, the business impact can extend into visibility rules, assignment scope, team-based access control, reporting, and later privilege-expansion chains. This makes the issue materially more serious than a low-value cosmetic CSRF.
Solution
- The routes have been moved to API
POSTendpoints
See https://www.kimai.org/en/security/ghsa-pgcc-vfmc-7cw5
AnalysisAI
CSRF vulnerabilities in Kimai 2.56.0 through 2.57.0 allow an unauthenticated attacker to manipulate the authorization topology of the time-tracking application by tricking a privileged logged-in user into visiting a malicious page. The three affected GET endpoints - for projects, customers, and activities - perform persistent writes: creating or reusing a Team, assigning the victim as teamlead, and binding the target object to that team. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim is an authenticated Kimai user with permissions to manage the target object (project, customer, or activity) - specifically, the permission to manage team assignments for that object type. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score or vector is provided by NVD for this CVE, so risk is assessed from first principles. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious web page containing an embedded image or hidden iframe with the URL `https://target-kimai.example.com/en/admin/project/42/create_team`. When a Kimai admin with project-management permissions visits that page while authenticated, their browser silently issues the GET request, causing Kimai to create a team for project 42, assign the victim admin as teamlead, and bind the project to that team - all without any intentional action by the victim. … |
| Remediation | Upgrade Kimai to version 2.58.0 or later, which resolves the vulnerability by migrating the three affected team-creation shortcuts from GET routes to POST API endpoints, making them subject to standard CSRF protection. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-pgcc-vfmc-7cw5