Main Vulnerability Database Vulnerabilities #VU135841

Authorization bypass through user-controlled key in kimai2 - #VU135841

Published: June 29, 2026

Vulnerability identifier: #VU135841

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Kevin Papst

Affected software:
kimai2

Detailed vulnerability description

The vulnerability allows a remote user to manipulate another user's favorite bookmark state.

The vulnerability exists due to improper authorization in the favorite timesheet add and remove endpoints when handling user-controlled timesheet identifiers. A remote user can send crafted requests referencing another user's timesheet ID to manipulate another user's favorite bookmark state.

The affected endpoints do not verify that the referenced timesheet belongs to the current session user, and the bookmark owner is derived from the referenced timesheet object instead of the authenticated user.

Remediation

Install security update from vendor's website.

Sources

https://github.com/kimai/kimai/security/advisories/GHSA-j5mc-p8qg-39j7

Authorization bypass through user-controlled key in kimai2 - #VU135841

Detailed vulnerability description

Remediation

Sources

Please verify you're human