SB20260420105 - Multiple vulnerabilities in kimai2
Published: April 20, 2026 Updated: April 21, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Information Exposure Through Timing Discrepancy (CVE-ID: N/A)
CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose valid usernames via a timing side channel.
The vulnerability exists due to observable timing discrepancy in src/API/Authentication/TokenAuthenticator.php when handling requests with the legacy X-AUTH-USER and X-AUTH-TOKEN headers. A remote attacker can send specially crafted authentication requests and measure response times to disclose valid usernames via a timing side channel.
The response body and HTTP status are identical for valid and invalid usernames, and no prior authentication, API token, or session cookie is required.
2) Missing Authorization (CVE-ID: CVE-2026-41498)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify team associations and disclose limited team-related information.
The vulnerability exists due to missing authorization in Team API endpoints when handling requests to team association operations. A remote privileged user can send a specially crafted API request to modify team membership, customer assignments, project assignments, and activity assignments to modify team associations and disclose limited team-related information.
The issue is exploitable if an administrator grants the edit_team permission to a lower-privilege role through the permissions UI.
Remediation
Install update from vendor's website.