Kimai CVE-2026-52825
MEDIUMSeverity by source
Network API, no complexity; PR:L because Teamlead role required; S:C because the integrity violation crosses the authorization boundary affecting other users and activities; no availability impact.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2DescriptionCVE.org
Summary
Kimai contains an authenticated improper authorization vulnerability in Team-related assignment APIs. A Teamlead who can edit their own team can use backend API endpoints to add users or activities that fall outside their intended visible or manageable scope, even when the frontend correctly hides those targets.
This affects both team member assignment and team activity assignment. The issue is caused by treating "may edit this team" as equivalent to "may attach any referenced object to this team", without performing a second authorization check on the target user or activity.
Details
The issue affects at least the following API routes:
POST /api/teams/{id}/members/{userId}POST /api/teams/{id}/activities/{activityId}
In both cases, the backend checks whether the caller may edit the Team, but it does not verify whether the referenced User or Activity falls inside the caller's allowed management scope.
For team member assignment, the frontend form correctly limits the visible user choices. In src/Form/TeamEditForm.php, the team edit form uses UserType:
$builder->add('users', UserType::class, [
'label' => 'add_user.label',
'help' => 'team.add_user.help',
'mapped' => false,
'multiple' => false,
'expanded' => false,
'required' => false,
'ignore_users' => $team !== null ? $team->getUsers() : []
]);In src/Form/Type/UserType.php, the user selector is built from UserRepository::getQueryBuilderForFormType():
$query = new UserFormTypeQuery();
$query->setUser($options['user']);
$qb = $this->userRepository->getQueryBuilderForFormType($query);
$users = $qb->getQuery()->getResult();And in src/Repository/UserRepository.php, Teamlead-visible candidates are limited to team members from teams they lead:
if (null !== $user && $user->isTeamlead()) {
$userIds = [];
foreach ($user->getTeams() as $team) {
if ($team->isTeamlead($user)) {
foreach ($team->getUsers() as $teamMember) {
$userIds[] = $teamMember->getId();
}
}
}
$userIds = array_unique($userIds);
$qb->setParameter('teamMember', $userIds);
$or->add($qb->expr()->in('u.id', ':teamMember'));
}However, the actual member-assignment API does not reuse that restriction. In src/API/TeamController.php:
#[IsGranted('edit', 'team')]
#[Route(methods: ['POST'], path: '/{id}/members/{userId}', name: 'post_team_member', requirements: ['id' => '\d+', 'userId' => '\d+'])]
public function postMemberAction(Team $team, #[MapEntity(mapping: ['userId' => 'id'])] User $member): Response
{
if ($member->isInTeam($team)) {
throw new BadRequestHttpException('User is already member of the team');
}
$team->addUser($member);
$this->teamService->saveTeam($team);
}For activity assignment, the same pattern appears. In src/API/TeamController.php:
#[IsGranted('edit', 'team')]
#[Route(methods: ['POST'], path: '/{id}/activities/{activityId}', name: 'post_team_activity', requirements: ['id' => '\d+', 'activityId' => '\d+'])]
public function postActivityAction(Team $team, #[MapEntity(mapping: ['activityId' => 'id'])] Activity $activity, ActivityRepository $activityRepository): Response
{
if ($team->hasActivity($activity)) {
throw new BadRequestHttpException('Team has already access to activity');
}
$team->addActivity($activity);
$activityRepository->saveActivity($activity);
}The Team voter only checks whether the current user may edit that team, not whether the referenced object is within the Teamlead's legitimate scope. In src/Voter/TeamVoter.php:
if (!$user->isAdmin() && !$user->isSuperAdmin() && !$user->isTeamleadOf($subject)) {
return false;
}
return $this->permissionManager->hasRolePermission($user, $attribute . '_team');For activities, this is especially risky because later authorization logic may trust the team assignment that was just written. In src/Security/RolePermissionManager.php:
public function checkTeamAccessActivity(Activity $activity, User $user): bool
{
if ($activity->getProject() !== null && !$this->checkTeamAccessProject($activity->getProject(), $user)) {
return false;
}
return $this->checkTeamAccess($activity->getTeams(), $user);
}So once a Teamlead is able to write a new team/activity relation, later access-control decisions may treat that relation as legitimate input.
*A PoC was provided, but removed for security reasons.*
Impact
This vulnerability allows a Teamlead to use their own editable team as an expansion container for objects that should remain outside their authorized scope. In the validated member-assignment case, the attacker can forcibly add users who are not supposed to be manageable through that Teamlead's visible range. In the activity-assignment case, the attacker can attach activities that are outside the intended authorization boundary of the team.
Once such relations are written, downstream authorization, visibility, and business workflows may start treating them as legitimate. This can affect user scoping, team-based access control, customer/project/activity visibility, time-entry behavior, statistics, and reporting. The issue therefore breaks the trustworthiness of Team as a security isolation container.
Solution
Several new permission checks were added to src/API/TeamController.php -
- Check if user can be accessed with
#[IsGranted('access_user', 'member')]before adding as new team member - Check if customer can be seen with
#[IsGranted('view', 'customer')]before a team is granted access to a customer - Check if project can be seen with
#[IsGranted('view', 'project')]before a team is granted access to a project - Check if activity can be seen with
#[IsGranted('view', 'activity')]before a team is granted access to an activity
See https://www.kimai.org/en/security/ghsa-xv4r-4885-gwpg for more information.
AnalysisAI
Improper authorization in Kimai's Team API endpoints allows an authenticated Teamlead to add users and activities to their team that fall outside their intended management scope, bypassing the access boundaries enforced by the frontend. Affected versions are Kimai <= 2.57.0 (composer package kimai/kimai). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold an active Teamlead account on the target Kimai instance and must be the Teamlead of at least one editable team (i.e., isTeamleadOf(team) returns true). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No vendor-provided CVSS vector accompanies this advisory, so scoring must be independently assessed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Teamlead who knows or can enumerate the numeric IDs of users or activities outside their management scope sends a crafted POST request directly to /api/teams/{id}/members/{userId} with an out-of-scope userId. The backend validates only that the caller may edit the referenced team, grants the operation, and the target user is silently added to the team. … |
| Remediation | Upgrade to Kimai 2.58.0, which adds secondary IsGranted checks in src/API/TeamController.php: access_user on the member before adding them, and view on the customer, project, and activity before granting team access. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-xv4r-4885-gwpg