Kimai CVE-2026-52828
MEDIUMSeverity by source
PR:L because a valid TEAMLEAD account is required; I:L as only non-critical export template integrity is affected; no confidentiality or availability impact applies.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2DescriptionCVE.org
Summary
The ExportController web routes for creating and editing export templates are gated only by the class-level create_export permission, which is granted to ROLE_TEAMLEAD by default. The corresponding API routes and UI button visibility correctly require the stricter create_export_template permission, which is granted only to ROLE_ADMIN and ROLE_SUPER_ADMIN. A TEAMLEAD user can directly access the template create/edit routes to create or modify global export templates that are visible to all users including administrators.
Details
The ExportController applies the class-level annotation #[IsGranted('create_export')].
The createExportTemplate (line 210) and editExportTemplate (line 220) methods have no method-level #[IsGranted('create_export_template')] annotation. The permission hierarchy in config/packages/kimai.yaml:103,115,122-123 grants create_export to ROLE_TEAMLEAD via the EXPORT permission set, but create_export_template only to ROLE_ADMIN and ROLE_SUPER_ADMIN.
The API controller correctly requires create_export_template. The UI template (templates/export/index.html.twig:124) correctly hides the create button behind create_export_template. Only the web controller routes are missing the check.
ExportTemplate entities are global - they have no per-user or per-team scoping (src/Entity/ExportTemplate.php:19-56). Any template created or modified by a TEAMLEAD which is marked as "Available for all users" is visible to and usable by every user in the instance.
*A PoC was provided, but removed for security reasons.*
Impact
Any user with ROLE_TEAMLEAD can create and modify global export templates intended to be managed only by administrators. The templates control the structure and content of exported data (columns, renderer, format). While the impact is limited to data integrity manipulation of a non-security-critical resource (no RCE, no credential exposure), it violates the intended permission boundary and allows a lower-privileged user to influence the data output format used by all users including administrators.
Solution
The permission check #[IsGranted('create_export_template')] was added to the ExportController covering the methods createExportTemplate() and editExportTemplate.
See https://www.kimai.org/en/security/ghsa-rw46-qg69-vg6h for more details.
AnalysisAI
Privilege escalation in Kimai time-tracking software (<=2.57.0) allows authenticated TEAMLEAD users to create and modify global export templates that are intended to be administrator-only resources. The web controller routes createExportTemplate and editExportTemplate in ExportController inherit only the class-level create_export permission - granted to ROLE_TEAMLEAD - while the API endpoints and UI correctly enforce the stricter create_export_template permission restricted to ROLE_ADMIN and ROLE_SUPER_ADMIN. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session holding ROLE_TEAMLEAD in the target Kimai instance - ROLE_TEAMLEAD is an elevated role above standard users and must be explicitly assigned by an administrator, so the attacker pool is limited to existing provisioned team leads. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score or vector was provided by NVD or the vendor, and no EPSS data is available, so risk metrics are inferred from the description and CWE-862 classification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated TEAMLEAD user, aware that the web controller routes do not enforce `create_export_template`, directly navigates to the export template creation endpoint (e.g., `/export/template/create`) rather than using the UI button - which is hidden - or the API, which correctly rejects the request. The controller processes the form submission under the weaker `create_export` permission, persisting a new global ExportTemplate. … |
| Remediation | Upgrade Kimai to version 2.58.0 or later, which adds the `#[IsGranted('create_export_template')]` annotation to both `createExportTemplate()` and `editExportTemplate()` in `ExportController`, closing the authorization gap at the method level. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-rw46-qg69-vg6h