Kimai CVE-2026-52822
MEDIUMSeverity by source
Network-reachable API endpoint requires only low-privilege authenticated user; impact is limited to integrity of timesheet data with no confidentiality or availability loss.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2DescriptionCVE.org
Summary
Kimai 2.56.0 contains an authenticated authorization bypass in the timesheet restart and duplicate workflows. After a user loses access to a project, the user can still derive a new timesheet from one of their historical entries and create a new record under that now-unauthorized project and activity combination.
This is a permission revocation bypass with persistent write impact. The issue affects both restart and duplicate, which trust ownership of an old timesheet more than the user's current access to the underlying project, activity, and customer.
Details
The issue affects the following operations:
PATCH /api/timesheets/{id}/restartPATCH /api/timesheets/{id}/duplicate
The root cause is that authorization gives too much weight to the fact that the original timesheet belongs to the current user. In src/Voter/TimesheetVoter.php, the *_own_timesheet branch is evaluated before team-based access checks.
The restart/duplicate capability check also verifies only object visibility, not whether the current user still has team-based access to the referenced objects.
In src/API/TimesheetController.php, the restart flow copies the historical project and activity into a new candidate timesheet.
The duplicate flow similarly clones the historical record and saves it.
In src/Timesheet/TimesheetService.php, creation of a new running entry still relies on isGranted('start', $timesheet).
For historical entries that belong to the current user, this logic can still succeed through the *_own_timesheet branch even after project access has been revoked. As a result, normal creation pages correctly stop offering the revoked project, but restart and duplicate can still create new records under it.
The same weakness also affects the Web duplicate flow because the UI path ultimately calls the same save logic in src/Controller/TimesheetAbstractController.php:
*A PoC was provided, but removed for security reasons.*
Impact
This vulnerability allows a user to keep writing new time entries into a project after project access has been revoked. That undermines administrative access-control changes and can pollute project time tracking, budget calculations, statistics, reports, and invoicing workflows.
Because both restart and duplicate can reuse historical project/activity bindings, old timesheet records effectively become reusable capability tokens that survive later access-control changes. This is not a UI artifact or a caching problem: new database rows are persisted after revocation.
Solution
The metoid TimesheetVoter::canStart() now checks team access for project and activity. This verification is used for new timesheets and also for the duplication and restart workflows.
See https://www.kimai.org/en/security/ghsa-c6w6-57jj-62vh for more information.
AnalysisAI
Permission revocation bypass in Kimai's timesheet restart and duplicate workflows allows authenticated users to create new database-persisted time entries under projects they no longer have access to. Affecting Kimai up to and including version 2.57.0, the flaw exists because TimesheetVoter.php evaluates the *_own_timesheet ownership branch before team-based access checks, meaning a historical timesheet entry acts as a durable capability token that survives administrative revocation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Kimai user account (PR:L) that previously had access to a specific project and has since had that access administratively revoked. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No vendor-supplied CVSS score is available for this CVE, so all metric assessments are inferred from the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Kimai user is removed from a project team by an administrator. Rather than accepting the revocation, the user queries the REST API for a historical timesheet entry they created while still authorized, then sends `PATCH /api/timesheets/{id}/restart` referencing that entry. … |
| Remediation | Upgrade to Kimai 2.58.0, which fixes `TimesheetVoter::canStart()` to enforce team-based access checks for the referenced project and activity during both restart and duplicate operations, bringing these paths in line with normal timesheet creation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-c6w6-57jj-62vh