
Cloud Vulnerability DB
Eine von der Community geführte Datenbank für Schwachstellen
CVE-2026-52826 is an authenticated improper authorization vulnerability in Kimai, an open-source time-tracking application, affecting versions up to and including 2.56.0. The flaw exists in the Web rate editing endpoints for projects, customers, and activities, allowing a user with edit permissions on one authorized parent object to manipulate billing rate records belonging to a different, unauthorized parent object. It was originally published by the Kimai maintainer on June 11, 2026, and added to the GitHub Advisory Database on July 14, 2026. The vulnerability carries a CVSS v4.0 base score of 5.3 (Medium) (GitHub Advisory, Kimai Advisory).
The root cause is classified as CWE-285 (Improper Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key). The affected routes — GET/POST /en/admin/project/{id}/rate/{rate}, GET/POST /en/admin/customer/{id}/rate/{rate}, and GET/POST /en/admin/activity/{id}/rate/{rate} — resolve the parent object ({id}) and the rate object ({rate}) independently from user-supplied URL parameters. The controller verifies only that the authenticated user has edit rights over the parent referenced by {id}, but performs no validation that the rate referenced by {rate} actually belongs to that same parent (e.g., no check such as $rate->getProject() === $project). Notably, the API delete endpoints already enforce this parent-child relationship, confirming it is a recognized design invariant that was simply omitted from the Web edit controllers. A proof-of-concept was submitted by the reporter but was withheld from public disclosure (GitHub Advisory, Kimai Advisory).
Successful exploitation allows an authenticated attacker to persistently modify billing rate records — stored in kimai2_projects_rates, kimai2_customers_rates, and kimai2_activities_rates — that belong to projects, customers, or activities outside their authorized scope. This can corrupt time-based settlement figures, inherited pricing, cost calculations, budget and revenue reporting, and downstream invoice generation across organizational boundaries. The vulnerability breaks team-based isolation for high-value financial configuration, posing a direct integrity risk to billing data without any confidentiality or availability impact (GitHub Advisory).
{id} from the URL.{rate}) of a rate record belonging to a different, unauthorized project, customer, or activity. Rate IDs may be discoverable through sequential enumeration or by observing other rate edit URLs.GET or POST request to a rate edit endpoint, mixing the authorized parent ID with the unauthorized rate ID — for example: POST /en/admin/project/{authorized_id}/rate/{unauthorized_rate_id} with modified rate values in the request body.{id} and not the parent-child relationship, the server accepts and persists the modified rate values into the database for the unauthorized rate record (GitHub Advisory).GET or POST requests to /en/admin/project/{id}/rate/{rate}, /en/admin/customer/{id}/rate/{rate}, or /en/admin/activity/{id}/rate/{rate} where the {id} and {rate} values correspond to different parent entities (i.e., the rate does not belong to the referenced parent).kimai2_projects_rates, kimai2_customers_rates, or kimai2_activities_rates tables, particularly modifications not initiated by the owning team or administrator.Kimai version 2.57.0 resolves this vulnerability by adding parent-child consistency validation to the rate edit forms for customers, projects, and activities, ensuring the rate referenced in the URL belongs to the parent also referenced in the URL before processing any changes. All users running Kimai 2.56.0 or earlier should upgrade to 2.57.0 immediately. No configuration-based workaround is available; upgrading is the only effective remediation (GitHub Advisory, Kimai Advisory).
The vulnerability was reported by security researcher Mitchell45 and responsibly disclosed to the Kimai maintainer (kevinpapst), who published the advisory on June 11, 2026. No significant broader media coverage, social media discussion, or notable third-party researcher commentary has been identified beyond the official GitHub advisory (Kimai Advisory).
Quelle: Dieser Bericht wurde mithilfe von KI erstellt
Kostenlose Schwachstellenbewertung
Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.
Eine personalisierte Demo anfordern
"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"