Skip to main content

Kimai CVE-2026-52828

MEDIUM
Missing Authorization (CWE-862)
2026-07-14 https://github.com/kimai/kimai GHSA-rw46-qg69-vg6h
Share

Severity by source

vuln.today AI
4.3 MEDIUM

PR:L because a valid TEAMLEAD account is required; I:L as only non-critical export template integrity is affected; no confidentiality or availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 14, 2026 - 01:01 vuln.today
Analysis Generated
Jul 14, 2026 - 01:01 vuln.today

DescriptionCVE.org

Summary

The ExportController web routes for creating and editing export templates are gated only by the class-level create_export permission, which is granted to ROLE_TEAMLEAD by default. The corresponding API routes and UI button visibility correctly require the stricter create_export_template permission, which is granted only to ROLE_ADMIN and ROLE_SUPER_ADMIN. A TEAMLEAD user can directly access the template create/edit routes to create or modify global export templates that are visible to all users including administrators.

Details

The ExportController applies the class-level annotation #[IsGranted('create_export')].

The createExportTemplate (line 210) and editExportTemplate (line 220) methods have no method-level #[IsGranted('create_export_template')] annotation. The permission hierarchy in config/packages/kimai.yaml:103,115,122-123 grants create_export to ROLE_TEAMLEAD via the EXPORT permission set, but create_export_template only to ROLE_ADMIN and ROLE_SUPER_ADMIN.

The API controller correctly requires create_export_template. The UI template (templates/export/index.html.twig:124) correctly hides the create button behind create_export_template. Only the web controller routes are missing the check.

ExportTemplate entities are global - they have no per-user or per-team scoping (src/Entity/ExportTemplate.php:19-56). Any template created or modified by a TEAMLEAD which is marked as "Available for all users" is visible to and usable by every user in the instance.

*A PoC was provided, but removed for security reasons.*

Impact

Any user with ROLE_TEAMLEAD can create and modify global export templates intended to be managed only by administrators. The templates control the structure and content of exported data (columns, renderer, format). While the impact is limited to data integrity manipulation of a non-security-critical resource (no RCE, no credential exposure), it violates the intended permission boundary and allows a lower-privileged user to influence the data output format used by all users including administrators.

Solution

The permission check #[IsGranted('create_export_template')] was added to the ExportController covering the methods createExportTemplate() and editExportTemplate.

See https://www.kimai.org/en/security/ghsa-rw46-qg69-vg6h for more details.

AnalysisAI

Privilege escalation in Kimai time-tracking software (<=2.57.0) allows authenticated TEAMLEAD users to create and modify global export templates that are intended to be administrator-only resources. The web controller routes createExportTemplate and editExportTemplate in ExportController inherit only the class-level create_export permission - granted to ROLE_TEAMLEAD - while the API endpoints and UI correctly enforce the stricter create_export_template permission restricted to ROLE_ADMIN and ROLE_SUPER_ADMIN. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid TEAMLEAD credentials
Delivery
Authenticate to Kimai web interface
Exploit
Directly request template create/edit web route
Execution
Controller authorizes under weaker create_export check
Persist
Submit malicious export template payload
Impact
Global template persisted and applied to all instance users

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session holding ROLE_TEAMLEAD in the target Kimai instance - ROLE_TEAMLEAD is an elevated role above standard users and must be explicitly assigned by an administrator, so the attacker pool is limited to existing provisioned team leads. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or vector was provided by NVD or the vendor, and no EPSS data is available, so risk metrics are inferred from the description and CWE-862 classification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated TEAMLEAD user, aware that the web controller routes do not enforce `create_export_template`, directly navigates to the export template creation endpoint (e.g., `/export/template/create`) rather than using the UI button - which is hidden - or the API, which correctly rejects the request. The controller processes the form submission under the weaker `create_export` permission, persisting a new global ExportTemplate. …
Remediation Upgrade Kimai to version 2.58.0 or later, which adds the `#[IsGranted('create_export_template')]` annotation to both `createExportTemplate()` and `editExportTemplate()` in `ExportController`, closing the authorization gap at the method level. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-52828 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy