CVE-2026-52826
PHP Schwachstellenanalyse und -minderung

Überblick

CVE-2026-52826 is an authenticated improper authorization vulnerability in Kimai, an open-source time-tracking application, affecting versions up to and including 2.56.0. The flaw exists in the Web rate editing endpoints for projects, customers, and activities, allowing a user with edit permissions on one authorized parent object to manipulate billing rate records belonging to a different, unauthorized parent object. It was originally published by the Kimai maintainer on June 11, 2026, and added to the GitHub Advisory Database on July 14, 2026. The vulnerability carries a CVSS v4.0 base score of 5.3 (Medium) (GitHub Advisory, Kimai Advisory).

Technische Details

The root cause is classified as CWE-285 (Improper Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key). The affected routes — GET/POST /en/admin/project/{id}/rate/{rate}, GET/POST /en/admin/customer/{id}/rate/{rate}, and GET/POST /en/admin/activity/{id}/rate/{rate} — resolve the parent object ({id}) and the rate object ({rate}) independently from user-supplied URL parameters. The controller verifies only that the authenticated user has edit rights over the parent referenced by {id}, but performs no validation that the rate referenced by {rate} actually belongs to that same parent (e.g., no check such as $rate->getProject() === $project). Notably, the API delete endpoints already enforce this parent-child relationship, confirming it is a recognized design invariant that was simply omitted from the Web edit controllers. A proof-of-concept was submitted by the reporter but was withheld from public disclosure (GitHub Advisory, Kimai Advisory).

Aufprall

Successful exploitation allows an authenticated attacker to persistently modify billing rate records — stored in kimai2_projects_rates, kimai2_customers_rates, and kimai2_activities_rates — that belong to projects, customers, or activities outside their authorized scope. This can corrupt time-based settlement figures, inherited pricing, cost calculations, budget and revenue reporting, and downstream invoice generation across organizational boundaries. The vulnerability breaks team-based isolation for high-value financial configuration, posing a direct integrity risk to billing data without any confidentiality or availability impact (GitHub Advisory).

Ausnutzungsschritte

  1. Authenticate: Log in to a Kimai instance (version ≤ 2.56.0) with an account that has edit permissions on at least one project, customer, or activity.
  2. Enumerate authorized parent ID: Navigate to an authorized parent object (e.g., a project the attacker can edit) and note its {id} from the URL.
  3. Enumerate target rate ID: Identify the numeric rate ID ({rate}) of a rate record belonging to a different, unauthorized project, customer, or activity. Rate IDs may be discoverable through sequential enumeration or by observing other rate edit URLs.
  4. Craft malicious request: Submit a GET or POST request to a rate edit endpoint, mixing the authorized parent ID with the unauthorized rate ID — for example: POST /en/admin/project/{authorized_id}/rate/{unauthorized_rate_id} with modified rate values in the request body.
  5. Persist unauthorized changes: Because the controller only validates edit rights on the parent {id} and not the parent-child relationship, the server accepts and persists the modified rate values into the database for the unauthorized rate record (GitHub Advisory).

Indikatoren für Kompromittierung

  • Network/HTTP Logs: HTTP GET or POST requests to /en/admin/project/{id}/rate/{rate}, /en/admin/customer/{id}/rate/{rate}, or /en/admin/activity/{id}/rate/{rate} where the {id} and {rate} values correspond to different parent entities (i.e., the rate does not belong to the referenced parent).
  • Database: Unexpected or unauthorized changes to records in the kimai2_projects_rates, kimai2_customers_rates, or kimai2_activities_rates tables, particularly modifications not initiated by the owning team or administrator.
  • Application Logs: Repeated rate edit requests from a single user account targeting multiple different rate IDs across projects, customers, or activities the user does not own, which may indicate enumeration or tampering activity.

Risikominderung und Problemumgehungen

Kimai version 2.57.0 resolves this vulnerability by adding parent-child consistency validation to the rate edit forms for customers, projects, and activities, ensuring the rate referenced in the URL belongs to the parent also referenced in the URL before processing any changes. All users running Kimai 2.56.0 or earlier should upgrade to 2.57.0 immediately. No configuration-based workaround is available; upgrading is the only effective remediation (GitHub Advisory, Kimai Advisory).

Reaktionen der Community

The vulnerability was reported by security researcher Mitchell45 and responsibly disclosed to the Kimai maintainer (kevinpapst), who published the advisory on June 11, 2026. No significant broader media coverage, social media discussion, or notable third-party researcher commentary has been identified beyond the official GitHub advisory (Kimai Advisory).

Zusätzliche Ressourcen


QuelleDieser Bericht wurde mithilfe von KI erstellt

Verwandt PHP Schwachstellen:

CVE-Kennung

Strenge

Punktzahl

Technologieen

Name der Komponente

CISA KEV-Exploit

Hat fix

Veröffentlichungsdatum

CVE-2026-52824CRITICAL9.1
  • PHP logoPHP
  • kimai/kimai
NeinJaJul 14, 2026
CVE-2026-52827HIGH7.1
  • PHP logoPHP
  • kimai/kimai
NeinJaJul 14, 2026
CVE-2026-52828MEDIUM5.3
  • PHP logoPHP
  • kimai/kimai
NeinJaJul 14, 2026
CVE-2026-52826MEDIUM5.3
  • PHP logoPHP
  • kimai/kimai
NeinJaJul 14, 2026
CVE-2026-52825MEDIUM5.3
  • PHP logoPHP
  • kimai/kimai
NeinJaJul 14, 2026

Kostenlose Schwachstellenbewertung

Benchmarking Ihrer Cloud-Sicherheitslage

Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.

Bewertung anfordern

Eine personalisierte Demo anfordern

Sind Sie bereit, Wiz in Aktion zu sehen?

"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
David EstlickCISO
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
Adam FletcherSicherheitsbeauftragter
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"
Greg PoniatowskiLeiter Bedrohungs- und Schwachstellenmanagement