Main Vulnerability Database Vulnerabilities #VU135849

Authorization bypass through user-controlled key in kimai2 - CVE-2026-52826

Published: June 29, 2026

Vulnerability identifier: #VU135849

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-52826

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Kevin Papst

Affected software:
kimai2

Detailed vulnerability description

The vulnerability allows a remote user to modify billing-related rate configuration outside their authorized project, customer, or activity scope.

The vulnerability exists due to improper authorization in the project, customer, and activity rate edit endpoints when handling user-controlled parent and rate identifiers in web requests. A remote user can send a crafted request with an authorized parent ID and an unauthorized rate ID to modify billing-related rate configuration outside their authorized project, customer, or activity scope.

The issue affects the ProjectRate, CustomerRate, and ActivityRate editing flows because the application resolves the parent object and rate object independently without verifying that the rate belongs to the referenced parent.

How to mitigate CVE-2026-52826

Install security update from vendor's website.

Authorization bypass through user-controlled key in kimai2 - CVE-2026-52826

Detailed vulnerability description

How to mitigate CVE-2026-52826

Sources

Please verify you're human