Kimai - Open Source time-tracker Kimai
Login Start for free

Missing Voter Check Allows Cross-Team Timesheet Manipulation

  1. Home
  2. Security
  3. Kimai Advisory GHSA-9g2q-w3w2-vf7q

Affected versions

  • Affected versions: <= 2.55.0
  • Patched version: 2.56.0
  • Advisory published: 27 Apr 2026

Severity

Severity: Medium

We have not requested an official CVE ID for this security advisory.

Vulnerability

Kimai’s *_other_timesheet permissions grant global access by design. Any user holding them — typically ROLE_TEAMLEAD — can read, modify, and permanently delete timesheets belonging to any other user in the system, regardless of team membership.

This is documented permission behavior rather than a regression, but the cross-team data destruction (deleted timesheets) and tampering (for example, changed timesheet durations) it allows are addressed by team-scoped enforcement in 2.56.0.

Info

A user holding the relevant permissions — typically ROLE_TEAMLEAD — can:

  1. Permanently delete timesheets belonging to any user system-wide (permission delete_other_timesheet)
  2. Silently alter timesheet descriptions, hours, and billing flags (permission edit_other_timesheet)
  3. Enumerate timesheet data via guessed IDs (permission view_other_timesheet)

Regular ROLE_USER accounts are correctly restricted; the issue is specific to the listed permissions receiving global scope instead of team-scoped access.

Edits and deletions remain visible in the Kimai audit logs.

Why this is not eligible for a CVE

The behavior described matches the documented permission model. Per the Kimai documentation, the relevant permissions granted to ROLE_TEAMLEAD are:

  • edit_other_timesheet — Edit existing records of other users
  • delete_other_timesheet — Delete existing records of other users

These permissions were global by design, not team-scoped. The UI surfaces only the teamlead’s own team timesheets, but the API has historically honored these permissions as documented: a role holding *_other_timesheet can act on any other user’s timesheet.

A long-standing source-code comment marking team-scoped enforcement as a planned enhancement reflects this accurately — the team check was a future improvement, not a security control that existed and failed.

We acknowledge that this behavior might not be expected, so while we treat it as a feature request for team-scoped permission enforcement and not a vulnerability, we still track it as having security implications.

Solution

Team-scoped timesheet permission checks were added. Operators of Kimai <= 2.55.0 who need stricter isolation between teams should not grant ROLE_TEAMLEAD to users who must not act on other teams’ timesheets.

Users should update to 2.56.0 or newer.

Credits

  • Reported by: nullvector1
  • Patched by: kevinpapst

First reported in GitHub advisory: GHSA-9g2q-w3w2-vf7q

Top