Skip to main content

Kimai CVE-2026-52825

MEDIUM
Improper Authorization (CWE-285)
2026-07-14 https://github.com/kimai/kimai GHSA-xv4r-4885-gwpg
Share

Severity by source

vuln.today AI
6.4 MEDIUM

Network API, no complexity; PR:L because Teamlead role required; S:C because the integrity violation crosses the authorization boundary affecting other users and activities; no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 14, 2026 - 00:31 vuln.today
Analysis Generated
Jul 14, 2026 - 00:31 vuln.today

DescriptionCVE.org

Summary

Kimai contains an authenticated improper authorization vulnerability in Team-related assignment APIs. A Teamlead who can edit their own team can use backend API endpoints to add users or activities that fall outside their intended visible or manageable scope, even when the frontend correctly hides those targets.

This affects both team member assignment and team activity assignment. The issue is caused by treating "may edit this team" as equivalent to "may attach any referenced object to this team", without performing a second authorization check on the target user or activity.

Details

The issue affects at least the following API routes:

  • POST /api/teams/{id}/members/{userId}
  • POST /api/teams/{id}/activities/{activityId}

In both cases, the backend checks whether the caller may edit the Team, but it does not verify whether the referenced User or Activity falls inside the caller's allowed management scope.

For team member assignment, the frontend form correctly limits the visible user choices. In src/Form/TeamEditForm.php, the team edit form uses UserType:

php
$builder->add('users', UserType::class, [
    'label' => 'add_user.label',
    'help' => 'team.add_user.help',
    'mapped' => false,
    'multiple' => false,
    'expanded' => false,
    'required' => false,
    'ignore_users' => $team !== null ? $team->getUsers() : []
]);

In src/Form/Type/UserType.php, the user selector is built from UserRepository::getQueryBuilderForFormType():

php
$query = new UserFormTypeQuery();
$query->setUser($options['user']);

$qb = $this->userRepository->getQueryBuilderForFormType($query);
$users = $qb->getQuery()->getResult();

And in src/Repository/UserRepository.php, Teamlead-visible candidates are limited to team members from teams they lead:

php
if (null !== $user && $user->isTeamlead()) {
    $userIds = [];
    foreach ($user->getTeams() as $team) {
        if ($team->isTeamlead($user)) {
            foreach ($team->getUsers() as $teamMember) {
                $userIds[] = $teamMember->getId();
            }
        }
    }
    $userIds = array_unique($userIds);
    $qb->setParameter('teamMember', $userIds);
    $or->add($qb->expr()->in('u.id', ':teamMember'));
}

However, the actual member-assignment API does not reuse that restriction. In src/API/TeamController.php:

php
#[IsGranted('edit', 'team')]
#[Route(methods: ['POST'], path: '/{id}/members/{userId}', name: 'post_team_member', requirements: ['id' => '\d+', 'userId' => '\d+'])]
public function postMemberAction(Team $team, #[MapEntity(mapping: ['userId' => 'id'])] User $member): Response
{
    if ($member->isInTeam($team)) {
        throw new BadRequestHttpException('User is already member of the team');
    }

    $team->addUser($member);
    $this->teamService->saveTeam($team);
}

For activity assignment, the same pattern appears. In src/API/TeamController.php:

php
#[IsGranted('edit', 'team')]
#[Route(methods: ['POST'], path: '/{id}/activities/{activityId}', name: 'post_team_activity', requirements: ['id' => '\d+', 'activityId' => '\d+'])]
public function postActivityAction(Team $team, #[MapEntity(mapping: ['activityId' => 'id'])] Activity $activity, ActivityRepository $activityRepository): Response
{
    if ($team->hasActivity($activity)) {
        throw new BadRequestHttpException('Team has already access to activity');
    }

    $team->addActivity($activity);
    $activityRepository->saveActivity($activity);
}

The Team voter only checks whether the current user may edit that team, not whether the referenced object is within the Teamlead's legitimate scope. In src/Voter/TeamVoter.php:

php
if (!$user->isAdmin() && !$user->isSuperAdmin() && !$user->isTeamleadOf($subject)) {
    return false;
}

return $this->permissionManager->hasRolePermission($user, $attribute . '_team');

For activities, this is especially risky because later authorization logic may trust the team assignment that was just written. In src/Security/RolePermissionManager.php:

php
public function checkTeamAccessActivity(Activity $activity, User $user): bool
{
    if ($activity->getProject() !== null && !$this->checkTeamAccessProject($activity->getProject(), $user)) {
        return false;
    }

    return $this->checkTeamAccess($activity->getTeams(), $user);
}

So once a Teamlead is able to write a new team/activity relation, later access-control decisions may treat that relation as legitimate input.

*A PoC was provided, but removed for security reasons.*

Impact

This vulnerability allows a Teamlead to use their own editable team as an expansion container for objects that should remain outside their authorized scope. In the validated member-assignment case, the attacker can forcibly add users who are not supposed to be manageable through that Teamlead's visible range. In the activity-assignment case, the attacker can attach activities that are outside the intended authorization boundary of the team.

Once such relations are written, downstream authorization, visibility, and business workflows may start treating them as legitimate. This can affect user scoping, team-based access control, customer/project/activity visibility, time-entry behavior, statistics, and reporting. The issue therefore breaks the trustworthiness of Team as a security isolation container.

Solution

Several new permission checks were added to src/API/TeamController.php -

  • Check if user can be accessed with #[IsGranted('access_user', 'member')] before adding as new team member
  • Check if customer can be seen with #[IsGranted('view', 'customer')] before a team is granted access to a customer
  • Check if project can be seen with #[IsGranted('view', 'project')] before a team is granted access to a project
  • Check if activity can be seen with #[IsGranted('view', 'activity')] before a team is granted access to an activity

See https://www.kimai.org/en/security/ghsa-xv4r-4885-gwpg for more information.

AnalysisAI

Improper authorization in Kimai's Team API endpoints allows an authenticated Teamlead to add users and activities to their team that fall outside their intended management scope, bypassing the access boundaries enforced by the frontend. Affected versions are Kimai <= 2.57.0 (composer package kimai/kimai). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as Teamlead
Delivery
Enumerate target user or activity IDs via API
Exploit
Craft POST to /api/teams/{id}/members/{userId}
Execution
Backend authorizes team-edit only, skips target-scope check
Persist
Out-of-scope object added to team
Impact
Access downstream data via team-scoped visibility

Vulnerability AssessmentAI

Exploitation The attacker must hold an active Teamlead account on the target Kimai instance and must be the Teamlead of at least one editable team (i.e., isTeamleadOf(team) returns true). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No vendor-provided CVSS vector accompanies this advisory, so scoring must be independently assessed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Teamlead who knows or can enumerate the numeric IDs of users or activities outside their management scope sends a crafted POST request directly to /api/teams/{id}/members/{userId} with an out-of-scope userId. The backend validates only that the caller may edit the referenced team, grants the operation, and the target user is silently added to the team. …
Remediation Upgrade to Kimai 2.58.0, which adds secondary IsGranted checks in src/API/TeamController.php: access_user on the member before adding them, and view on the customer, project, and activity before granting team access. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-52825 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy