
Cloud Vulnerability DB
Eine von der Community geführte Datenbank für Schwachstellen
CVE-2026-52825 is an authenticated improper authorization vulnerability in Kimai, an open-source time-tracking application, affecting the Team Member and Team Activity Assignment APIs. A Teamlead who has permission to edit their own team can directly call backend API endpoints to add users or activities that fall outside their authorized management scope, bypassing frontend restrictions. The vulnerability affects Kimai versions up to and including 2.57.0, with version 2.58.0 containing the fix. It was originally published on June 11, 2026, and added to the GitHub Advisory Database on July 14, 2026. The CVSS v4 base score is 5.3 (Medium) (GitHub Advisory, Kimai Advisory).
The root cause is classified as CWE-285 (Improper Authorization) and CWE-862 (Missing Authorization). The backend TeamController.php uses #[IsGranted('edit', 'team')] to verify only that the caller may edit the target team, but performs no secondary authorization check to confirm whether the referenced User or Activity object falls within the Teamlead's permitted management scope. The vulnerable API routes are POST /api/teams/{id}/members/{userId} and POST /api/teams/{id}/activities/{activityId}. While the frontend form (TeamEditForm.php) correctly restricts visible user choices via UserRepository::getQueryBuilderForFormType(), this restriction is not enforced server-side in the API layer. The activity assignment case is particularly risky because RolePermissionManager::checkTeamAccessActivity() trusts existing team/activity relations, meaning a fraudulently written relation can influence subsequent access-control decisions (GitHub Advisory).
Successful exploitation allows a Teamlead to use their own editable team as an expansion container to attach users and activities that should remain outside their authorized scope. This breaks the integrity of Kimai's team-based security isolation model, potentially affecting user scoping, customer/project/activity visibility, time-entry behavior, statistics, and reporting. Once unauthorized relations are written to the database, downstream authorization logic may treat them as legitimate, compounding the access control bypass. There is no direct confidentiality or availability impact at the system level, but the integrity of access control boundaries is undermined (Kimai Advisory).
GET /api/users or GET /api/activities) to enumerate user IDs or activity IDs that are outside the Teamlead's normal visible scope. These may be accessible via the API even if not shown in the frontend.POST /api/teams/{teamId}/members/{targetUserId}POST /api/teams/{teamId}/activities/{targetActivityId}checkTeamAccessActivity()) may grant the Teamlead or their team members access to the newly attached resources, including visibility into projects, customers, time entries, and reports (GitHub Advisory, Kimai Advisory).POST requests to /api/teams/{id}/members/{userId} or /api/teams/{id}/activities/{activityId} originating from Teamlead accounts, particularly where the referenced userId or activityId does not belong to the Teamlead's normal visible scope.Upgrade Kimai to version 2.58.0 or later, which adds the following permission checks in src/API/TeamController.php: #[IsGranted('access_user', 'member')] before adding a team member, and #[IsGranted('view', 'activity')] before granting a team access to an activity (along with equivalent checks for customers and projects). No configuration-based workaround is available for unpatched versions; the only effective remediation is upgrading. Organizations unable to upgrade immediately should consider restricting Teamlead API access at the network or application firewall level (GitHub Advisory, Kimai Advisory).
The vulnerability was reported by security researcher Mitchell45 and patched by Kimai maintainer kevinpapst. The advisory was published on June 11, 2026, and added to the GitHub Advisory Database on July 14, 2026. No significant broader media coverage or notable community commentary beyond the official advisory has been identified at this time (GitHub Advisory).
Quelle: Dieser Bericht wurde mithilfe von KI erstellt
Kostenlose Schwachstellenbewertung
Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.
Eine personalisierte Demo anfordern
"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"