← back
CVE-2026-41498

Kimai: Team API Missing Object-Level Authorization

CVSS 3.3 LOWEPSS 0.2%CWE-862
In short

Kimai's Team API allows users with edit_team permission to modify any team, even ones they shouldn't access. This happens because the permission check is too broad and doesn't verify ownership.

Technical detail

The Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], preventing Symfony's TeamVoter from performing object-level authorization checks. An authenticated user with edit_team permission can exploit this to modify any team without entity-level ownership verification, bypassing intended access controls.

Summary generated and translated by AI from the official description.
Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage. This issue has been patched in version 2.54.0.
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Affected products
kimai · kimai

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/kimai/kimai/releases/tag/2.54.0https://github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcm