Skip to main content

Kimai CVE-2026-52819

MEDIUM
Incorrect Authorization (CWE-863)
2026-07-13 https://github.com/kimai/kimai GHSA-4m8q-55qv-9pwp
Share

Severity by source

vuln.today AI
6.5 MEDIUM

Network API requires ROLE_TEAMLEAD authentication (PR:L, AC:L); full disclosure of financial rate and PII data warrants C:H with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 14, 2026 - 00:16 vuln.today
Analysis Generated
Jul 14, 2026 - 00:16 vuln.today

DescriptionCVE.org

Summary

GET /api/timesheets?user=<id> (and users[]=<id>) returns the targeted user's timesheet records to any caller that has the view_other_timesheet permission, without verifying that the caller is teamlead of any team containing the target user. The per-record endpoint GET /api/timesheets/{id} correctly enforces this check via TimesheetVoter/RolePermissionManager::checkTeamAccessTimesheetcheckTeamLeadAccess, but the list endpoint only filters projects/customers by team membership and never validates t.user. A ROLE_TEAMLEAD user can therefore enumerate any user's records - including the rate field - as long as those records are on a project with no team scoping (Kimai's default) or on any project that shares any team (membership, not lead) with the requester.

Details

Root cause: authorization mismatch between the per-record voter and the list endpoint.

Per-record path (correct)

src/Voter/TimesheetVoter.php:138:

php
if (!$this->permissionManager->checkTeamAccessTimesheet($subject, $user)) {
    return false;
}
return $this->permissionManager->hasRolePermission($user, $permission . '_other_timesheet');

checkTeamLeadAccess (RolePermissionManager.php:143-160) requires isTeamleadOf (not just member) one of the target user's teams. The unit test testTeamleadDeniedWhenOnlyPlainMemberOfOwnerTeam (tests/Voter/TimesheetVoterTest.php:253-269) codifies this:

> *"a TEAMLEAD role with view_other_timesheet must not access another user's timesheet by being a plain team member - they must be the team's teamlead."*

List path (vulnerable)

src/API/TimesheetController.php:97-119:

php
public function cgetAction(ParamFetcherInterface $paramFetcher, ..., UserRepository $userRepository): Response
{
    $query = new TimesheetQuery(false);
    $this->prepareQuery($query, $paramFetcher);
    $seeAll = false;

    if ($this->isGranted('view_other_timesheet')) {
        /** @var array<int> $users */
        $users = $paramFetcher->get('users');
        $userId = $paramFetcher->get('user');

        if ('all' === $userId) {
            $seeAll = true;
        } elseif (\is_string($userId) && $userId !== '') {
            $users[] = (int) $userId;
        }

        if (!$seeAll) {
            foreach ($userRepository->findByIds($users) as $user) {
                $query->addUser($user);   // <-- no teamlead-of-target check
            }
        }
    }
    ...

config/packages/kimai.yaml:96,115 grants TIMESHEET_OTHER (which contains view_other_timesheet) to ROLE_TEAMLEAD, so the gate at line 103 passes for any teamlead. The user= / users[]= IDs are pushed straight into the query.

Net effect

For any victim bob who:

  • has at least one team that the requester alice is not teamlead of (so the voter denies per-record access), AND
  • has timesheets either on a project with no team (Kimai's default), or on a project that shares any team with alice (membership, not lead)

alice is denied via GET /api/timesheets/{id} but receives bob's records via GET /api/timesheets?user=<bob_id>.

Disclosed fields in the collection response include description, begin, end, duration, billable, exported, tags, rate, internalRate, plus project/activity/user IDs (Default/Collection serializer groups, Timesheet.php:164-173). rate is financial data that the per-record voter is supposed to gate via the separate view_rate_other_timesheet permission.

Why other proposed mitigations don't apply

  • The view_other_timesheet IsGranted on the route is the only authorization layer in the list path; ROLE_TEAMLEAD has it globally.
  • prepareQuery only sets currentUser, not authorization (BaseApiController.php:68-71).
  • The serializer does not filter rate per caller - it is a static Default-group property.
  • Recent commit 20c7b03 "Re-usable ACL checks on teams" hardened the voter side but left the list endpoint unchanged.

*A PoC was provided, but removed for security reasons.*

Impact

  • Authorization bypass: a ROLE_TEAMLEAD (a non-admin role typically granted to multiple users in a Kimai instance) can read any other user's timesheet records
  • Financial data disclosure: the rate and internalRate fields are returned in the collection serializer group, leaking what gets billed/costed against any user's records.
  • PII / activity disclosure: per-entry description, begin, end, duration, billable, exported, project/activity/customer IDs, and tags are leaked, allowing reconstruction of any user's activity timeline.

Solution

The list of requested user TimesheetController::cgetAction() is now guarded with the access_user permission. The access_user permission verifies that the requesting user is allowed to see each of the requested user. If any of the requested users may not be seen, the entire call will fail.

Find out more at https://www.kimai.org/en/security/ghsa-4m8q-55qv-9pwp

AnalysisAI

{id} correctly enforces teamlead validation through TimesheetVoter, but the collection endpoint GET /api/timesheets?user=<id> omits this check entirely, creating an inconsistent authorization model (CWE-863) that allows horizontal privilege escalation within the application. A private proof-of-concept was confirmed during responsible disclosure but has not been made public; the vendor-released fix is Kimai 2.57.0.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as ROLE_TEAMLEAD via API
Delivery
Enumerate target user ID via /api/users
Exploit
Send GET /api/timesheets?user=<victim_id>
Execution
Bypass teamlead-of-target check in list endpoint
Persist
Receive victim's timesheet records including rate fields
Impact
Exfiltrate financial and activity PII

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold an active ROLE_TEAMLEAD account on the target Kimai instance - a low-privilege non-admin role typically granted to line managers. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No vendor-provided CVSS score or EPSS data is available for this CVE; risk metrics are based on manual assessment of the vulnerability mechanics. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Kimai user `alice` holding ROLE_TEAMLEAD authenticates to the API and issues `GET /api/timesheets?user=<bob_id>` using bob's numeric user ID (enumerable via the Kimai user list API). Because alice's role carries `view_other_timesheet` globally, the list endpoint returns bob's full timesheet collection - including description text, timestamps, and rate/internalRate financial fields - without verifying that alice is teamlead of any of bob's teams. …
Remediation Upgrade to Kimai 2.57.0, which adds an `access_user` permission check inside `TimesheetController::cgetAction()` that validates whether the requesting user is authorized to view each requested user's records; if any requested user fails this check, the entire API call is rejected. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-52819 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy