SB20260629127 - Multiple vulnerabilities in kimai2
Published: June 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Authorization bypass through user-controlled key (CVE-ID: N/A)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to manipulate another user's favorite bookmark state.
The vulnerability exists due to improper authorization in the favorite timesheet add and remove endpoints when handling user-controlled timesheet identifiers. A remote user can send crafted requests referencing another user's timesheet ID to manipulate another user's favorite bookmark state.
The affected endpoints do not verify that the referenced timesheet belongs to the current session user, and the bookmark owner is derived from the referenced timesheet object instead of the authenticated user.
2) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-52820)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass authorization checks to reassign their own timesheet to an unauthorized project and disclose sensitive project and customer metadata.
The vulnerability exists due to improper access control in the Timesheet API PATCH /api/timesheets/{id} and POST /api/timesheets endpoints when processing a user-supplied project ID through the Symfony EntityType query_builder. A remote user can submit a crafted project ID and then read the modified timesheet with full serialization to bypass authorization checks to reassign their own timesheet to an unauthorized project and disclose sensitive project and customer metadata.
The issue is limited to the attacker's own timesheet records, and reading the modified record with ?full=true exposes serialized project and customer details that would otherwise be filtered by the team ACL.
3) Incorrect authorization (CVE-ID: CVE-2026-52819)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in GET /api/timesheets when processing user-supplied user filters. A remote user can send a crafted request with user or users[] parameters to disclose sensitive information.
The issue affects the list endpoint but not the per-record endpoint, and exposed data can include timesheet details and financial fields such as rate and internalRate.
4) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-52821)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to create business objects under unauthorized projects.
The vulnerability exists due to improper access control in the activity creation flow when handling requests with a preset project identifier. A remote user can send a crafted request with a valid project identifier to create business objects under unauthorized projects.
The issue is persistent and requires knowledge of a valid project identifier.
5) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-52826)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify billing-related rate configuration outside their authorized project, customer, or activity scope.
The vulnerability exists due to improper authorization in the project, customer, and activity rate edit endpoints when handling user-controlled parent and rate identifiers in web requests. A remote user can send a crafted request with an authorized parent ID and an unauthorized rate ID to modify billing-related rate configuration outside their authorized project, customer, or activity scope.
The issue affects the ProjectRate, CustomerRate, and ActivityRate editing flows because the application resolves the parent object and rate object independently without verifying that the rate belongs to the referenced parent.
Remediation
Install update from vendor's website.
References
- https://github.com/kimai/kimai/security/advisories/GHSA-j5mc-p8qg-39j7
- https://github.com/kimai/kimai/security/advisories/GHSA-vrr2-g9gh-c3jc
- https://www.kimai.org/en/security/ghsa-vrr2-g9gh-c3jc
- https://github.com/kimai/kimai/security/advisories/GHSA-4m8q-55qv-9pwp
- https://www.kimai.org/en/security/ghsa-4m8q-55qv-9pwp
- https://github.com/kimai/kimai/security/advisories/GHSA-3q6q-26vg-v97x
- https://www.kimai.org/en/security/ghsa-3q6q-26vg-v97x
- https://github.com/kimai/kimai/security/advisories/GHSA-2xgg-2x8h-8xw4
- https://www.kimai.org/en/security/ghsa-2xgg-2x8h-8xw4