Main Vulnerability Database Vulnerabilities #VU135842

Authorization bypass through user-controlled key in kimai2 - CVE-2026-52820

Published: June 29, 2026

Vulnerability identifier: #VU135842

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-52820

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Kevin Papst

Affected software:
kimai2

Detailed vulnerability description

The vulnerability allows a remote user to bypass authorization checks to reassign their own timesheet to an unauthorized project and disclose sensitive project and customer metadata.

The vulnerability exists due to improper access control in the Timesheet API PATCH /api/timesheets/{id} and POST /api/timesheets endpoints when processing a user-supplied project ID through the Symfony EntityType query_builder. A remote user can submit a crafted project ID and then read the modified timesheet with full serialization to bypass authorization checks to reassign their own timesheet to an unauthorized project and disclose sensitive project and customer metadata.

The issue is limited to the attacker's own timesheet records, and reading the modified record with ?full=true exposes serialized project and customer details that would otherwise be filtered by the team ACL.

How to mitigate CVE-2026-52820

Install security update from vendor's website.

Authorization bypass through user-controlled key in kimai2 - CVE-2026-52820

Detailed vulnerability description

How to mitigate CVE-2026-52820

Sources

Please verify you're human