1. Home
2. Security
3. Kimai Advisory CVE-2026-52826

Affected versions

• Kimai versions <=2.57.0 are affected by this security issue
• The issue has been fixed in Kimai 2.57.0
• Severity: Low
• The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-52826 to this issue

Description

The web forms for editing project, customer, and activity rates checked who could edit the parent object, but never verified that the rate being edited actually belonged to it. A user with edit access to one project, customer, or activity could therefore change a rate that belonged to a different one they had no access to, by combining an authorized parent ID with an unauthorized rate ID in the URL.

• The issue affects the web admin rate edit forms for projects, customers, and activities.
• The vulnerable routes are /admin/project/{id}/rate/{rate}, /admin/customer/{id}/rate/{rate}, and /admin/activity/{id}/rate/{rate}.
• The controllers required edit permission on the parent object referenced by {id}, but didn’t check that the rate referenced by {rate} belonged to that same parent.
• Exploitation requires an authenticated user with permission to edit at least one project, customer, or activity (typically ROLE_TEAMLEAD with the matching edit_* permission). The user also needs to know a valid rate ID.
• The corresponding API delete endpoints already enforced this parent/child check; only the web edit forms were missing it.
• The impact is limited to changing rate values, which can distort billing, budget, and revenue figures for teams the attacker shouldn’t influence.
• All Kimai installations were affected.

Solution

The rate edit forms for projects, customers, and activities now verify that the rate belongs to the parent referenced in the URL and reject the request otherwise.

Users should update to 2.57.0 or newer.

Credits

• Reported by: Mitchell45
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-2xgg-2x8h-8xw4