SB2026041477 - Authorization bypass through user-controlled key in kimai2

Description

This security bulletin contains information about 1 vulnerability.

1) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-28685)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive financial information.

The vulnerability exists due to improper access control in the GET /api/invoices/{id} endpoint when handling requests for invoice records by ID. A remote user can request an invoice belonging to a customer assigned to another team to disclose sensitive financial information.

The issue affects the single-item API endpoint, which does not verify access to the invoice's customer, unlike the corresponding web controller.

Remediation

Install update from vendor's website.

References

• https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7
• https://github.com/advisories/GHSA-v33r-r6h2-8wr7