Skip to main content

Kimai CVE-2026-52822

MEDIUM
Improper Authorization (CWE-285)
2026-07-14 https://github.com/kimai/kimai GHSA-c6w6-57jj-62vh
Share

Severity by source

vuln.today AI
4.3 MEDIUM

Network-reachable API endpoint requires only low-privilege authenticated user; impact is limited to integrity of timesheet data with no confidentiality or availability loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 14, 2026 - 00:31 vuln.today
Analysis Generated
Jul 14, 2026 - 00:31 vuln.today

DescriptionCVE.org

Summary

Kimai 2.56.0 contains an authenticated authorization bypass in the timesheet restart and duplicate workflows. After a user loses access to a project, the user can still derive a new timesheet from one of their historical entries and create a new record under that now-unauthorized project and activity combination.

This is a permission revocation bypass with persistent write impact. The issue affects both restart and duplicate, which trust ownership of an old timesheet more than the user's current access to the underlying project, activity, and customer.

Details

The issue affects the following operations:

  • PATCH /api/timesheets/{id}/restart
  • PATCH /api/timesheets/{id}/duplicate

The root cause is that authorization gives too much weight to the fact that the original timesheet belongs to the current user. In src/Voter/TimesheetVoter.php, the *_own_timesheet branch is evaluated before team-based access checks.

The restart/duplicate capability check also verifies only object visibility, not whether the current user still has team-based access to the referenced objects.

In src/API/TimesheetController.php, the restart flow copies the historical project and activity into a new candidate timesheet.

The duplicate flow similarly clones the historical record and saves it.

In src/Timesheet/TimesheetService.php, creation of a new running entry still relies on isGranted('start', $timesheet).

For historical entries that belong to the current user, this logic can still succeed through the *_own_timesheet branch even after project access has been revoked. As a result, normal creation pages correctly stop offering the revoked project, but restart and duplicate can still create new records under it.

The same weakness also affects the Web duplicate flow because the UI path ultimately calls the same save logic in src/Controller/TimesheetAbstractController.php:

*A PoC was provided, but removed for security reasons.*

Impact

This vulnerability allows a user to keep writing new time entries into a project after project access has been revoked. That undermines administrative access-control changes and can pollute project time tracking, budget calculations, statistics, reports, and invoicing workflows.

Because both restart and duplicate can reuse historical project/activity bindings, old timesheet records effectively become reusable capability tokens that survive later access-control changes. This is not a UI artifact or a caching problem: new database rows are persisted after revocation.

Solution

The metoid TimesheetVoter::canStart() now checks team access for project and activity. This verification is used for new timesheets and also for the duplication and restart workflows.

See https://www.kimai.org/en/security/ghsa-c6w6-57jj-62vh for more information.

AnalysisAI

Permission revocation bypass in Kimai's timesheet restart and duplicate workflows allows authenticated users to create new database-persisted time entries under projects they no longer have access to. Affecting Kimai up to and including version 2.57.0, the flaw exists because TimesheetVoter.php evaluates the *_own_timesheet ownership branch before team-based access checks, meaning a historical timesheet entry acts as a durable capability token that survives administrative revocation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as revoked Kimai user
Delivery
Identify historical timesheet entry under revoked project
Exploit
Send PATCH /api/timesheets/{id}/restart or /duplicate
Execution
TimesheetVoter resolves via *_own_timesheet ownership branch
Persist
Team-based access check skipped
Impact
New timesheet row persisted to unauthorized project

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Kimai user account (PR:L) that previously had access to a specific project and has since had that access administratively revoked. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No vendor-supplied CVSS score is available for this CVE, so all metric assessments are inferred from the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Kimai user is removed from a project team by an administrator. Rather than accepting the revocation, the user queries the REST API for a historical timesheet entry they created while still authorized, then sends `PATCH /api/timesheets/{id}/restart` referencing that entry. …
Remediation Upgrade to Kimai 2.58.0, which fixes `TimesheetVoter::canStart()` to enforce team-based access checks for the referenced project and activity during both restart and duplicate operations, bringing these paths in line with normal timesheet creation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-52822 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy