CVE-2026-28685

Kimai: API invoice endpoint missing customer-level access control (IDOR)

CVSS 6.5 MEDIUMEPSS 0.4%CWE-285

In short

Kimai's invoice API endpoint allows team leads to view all invoices in the system, even those belonging to customers they shouldn't have access to. This happens because the system only checks if the user has permission to view invoices in general, but doesn't verify they actually work with that specific customer.

Technical detail

The GET /api/invoices/{id} endpoint implements role-based access control (ROLE_TEAMLEAD) but lacks customer-level ownership validation, resulting in an Insecure Direct Object Reference (IDOR) vulnerability. An authenticated user with ROLE_TEAMLEAD can enumerate and retrieve sensitive invoice data across all customers regardless of team assignment. This affects confidentiality of financial and business data across organizational boundaries.

Summary generated and translated by AI from the official description.

Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products

kimai · kimai

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f https://github.com/kimai/kimai/releases/tag/2.51.0 https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7