1. Home
2. Security
3. Kimai Advisory CVE-2026-52821

Affected versions

• Kimai versions <=2.56.0 are affected by this security issue
• The issue has been fixed in Kimai 2.57.0
• Severity: Low
• The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-52821 to this issue

Description

The forms for creating a new activity or a new project let users pick a parent object (the project for an activity, or the customer for a project) directly from the URL, but didn’t check whether the user was actually allowed to add something to that parent. A user with general permission to create activities or projects could therefore attach a new record to a project or customer they had no access to, by passing an unauthorized parent ID in the URL.

• The issue affects the web forms for creating activities and projects when a parent object is preselected through the URL.
• The vulnerable routes are /admin/activity/create/{project} and /admin/project/create/{customer}.
• The controllers required the general create_activity or create_project permission, but didn’t verify edit access on the referenced parent project or customer.
• Exploitation requires an authenticated user with the corresponding create permission and knowledge of a valid project or customer ID.
• The impact is limited to creating new activities or projects under unauthorized parents. Injected records could influence timesheet selection and rate inheritance in teams the attacker shouldn’t reach.
• All Kimai installations were affected.

Solution

The activity and project creation forms now verify that the user has edit access to the referenced parent project or customer and reject the request otherwise.

Users should update to 2.57.0 or newer.

Credits

• Reported by: Mitchell45
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-3q6q-26vg-v97x