Kimai - Open Source time-tracker Kimai
Start for free

Teamlead users could read other users' timesheets through the API

  1. Home
  2. Security
  3. Kimai Advisory CVE-2026-52819

Affected versions

  • Kimai versions <= 2.56.0 are affected by this security issue
  • The issue has been fixed in Kimai 2.57.0
  • Severity: Low
  • The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-52819 to this issue

Description

Kimai’s API allowed users with the teamlead role to read timesheet records belonging to users they shouldn’t have access to. By calling the timesheet list endpoint with another user’s ID, a teamlead could retrieve that user’s records without being assigned as teamlead of any team containing the target user.

  • Required permission: view_other_timesheet, granted by default to ROLE_TEAMLEAD.
  • Affected endpoint: GET /api/timesheets when called with a user or users[] parameter.
  • The per-record endpoint GET /api/timesheets/{id} already enforced the correct check and was not affected.
  • All Kimai installations were affected.

Solution

The list endpoint now applies an access_user check against every requested user ID. If the caller is not allowed to view any one of the requested users, the entire request is rejected.

Users should update to 2.57.0 or newer.

Credits

  • Reported by: offset
  • Patched by: kevinpapst

First reported in GitHub advisory: GHSA-4m8q-55qv-9pwp

Top