Skip to main content

Kimai CVE-2026-49992

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-13 https://github.com/kimai/kimai GHSA-pgcc-vfmc-7cw5
Share

Severity by source

vuln.today AI
4.3 MEDIUM

Network-reachable GET endpoint; no attacker privileges needed; user interaction required (victim must visit malicious page); integrity impact is low as only authorization structure is modified, not data exfiltrated or destroyed.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 14, 2026 - 00:16 vuln.today
Analysis Generated
Jul 14, 2026 - 00:16 vuln.today

DescriptionCVE.org

Summary

Kimai 2.56.0 contains authenticated cross-site request forgery issues in its default team creation shortcuts for projects, customers, and activities. These endpoints are exposed through GET routes and directly create or reuse a Team, add the current user as teamlead, and bind the target object to that team.

As a result, an attacker can trick a logged-in user with the required permissions into visiting a malicious page and cause unauthorized changes to team, teamlead, and object-binding relationships. This is a real authorization-structure modification issue rather than a harmless UI shortcut.

Details

The issue affects at least the following routes:

  • GET /en/admin/project/{id}/create_team
  • GET /en/admin/customer/{id}/create_team
  • GET /en/admin/activity/{id}/create_team

Each of these routes is a GET endpoint, yet each performs persistent writes that alter authorization structure:

  • create or reuse a Team
  • add the current user as teamlead
  • bind the target Project, Customer, or Activity to that team

*A PoC was provided, but removed for security reasons.*

Impact

This vulnerability allows an attacker to remotely alter permission topology while the victim is logged in. A successful exploit can create or reuse a team, assign the victim as its teamlead, and bind a project, customer, or activity to that team without intentional user action.

The pre-requisite is, that the logged-in user already has access to manage permissions of the object in question.

Because these routes modify authorization structure rather than a simple personal preference, the business impact can extend into visibility rules, assignment scope, team-based access control, reporting, and later privilege-expansion chains. This makes the issue materially more serious than a low-value cosmetic CSRF.

Solution

  • The routes have been moved to API POST endpoints

See https://www.kimai.org/en/security/ghsa-pgcc-vfmc-7cw5

AnalysisAI

CSRF vulnerabilities in Kimai 2.56.0 through 2.57.0 allow an unauthenticated attacker to manipulate the authorization topology of the time-tracking application by tricking a privileged logged-in user into visiting a malicious page. The three affected GET endpoints - for projects, customers, and activities - perform persistent writes: creating or reusing a Team, assigning the victim as teamlead, and binding the target object to that team. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target Kimai instance and admin victim
Delivery
Craft malicious page with embedded GET request to create_team route
Exploit
Deliver phishing link to authenticated admin victim
Execution
Victim browser fires authenticated GET request automatically
Persist
Kimai creates team and assigns victim as teamlead
Impact
Attacker leverages altered authorization topology for downstream privilege expansion

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim is an authenticated Kimai user with permissions to manage the target object (project, customer, or activity) - specifically, the permission to manage team assignments for that object type. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or vector is provided by NVD for this CVE, so risk is assessed from first principles. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious web page containing an embedded image or hidden iframe with the URL `https://target-kimai.example.com/en/admin/project/42/create_team`. When a Kimai admin with project-management permissions visits that page while authenticated, their browser silently issues the GET request, causing Kimai to create a team for project 42, assign the victim admin as teamlead, and bind the project to that team - all without any intentional action by the victim. …
Remediation Upgrade Kimai to version 2.58.0 or later, which resolves the vulnerability by migrating the three affected team-creation shortcuts from GET routes to POST API endpoints, making them subject to standard CSRF protection. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49992 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy