Kimai - Open Source time-tracker Kimai
Start for free

Users could keep logging time on projects after their access was revoked

  1. Home
  2. Security
  3. Kimai Advisory CVE-2026-52822

Affected versions

  • Kimai versions <=2.57.0 are affected by this security issue
  • The issue has been fixed in Kimai 2.58.0
  • Severity: Low
  • The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-52822 to this issue

Description

When a user lost access to a project, Kimai still let them restart or duplicate one of their older time entries — and the resulting new entry was saved under that same, now-unauthorized project and activity. This bypassed the administrator’s access change and could quietly distort project tracking, budgets, reports, and invoices.

  • Affected features: the restart and duplicate actions on time entries, both through the API (PATCH /api/timesheets/{id}/restart and PATCH /api/timesheets/{id}/duplicate) and through the web interface.
  • Required access: any authenticated user who already had time entries on a project, activity, or customer they have since lost team-based access to. No elevated role is needed beyond owning the original entry.
  • Trigger condition: team-based access to a project, activity, or customer was removed after the user had already logged time on it. The regular “new time entry” forms correctly hid the revoked project, but restart and duplicate kept reusing the original assignment from the old entry.
  • Persistence: the new entry was written to the database as a normal time record under the unauthorized project and activity, so it appeared in statistics, budget calculations, reports, and invoicing workflows like any other entry.
  • All Kimai installations were affected.

Solution

The permission check for starting a new time entry now also verifies the user’s current team-based access to the project and activity. This stricter check applies to the regular creation form as well as to the restart and duplicate workflows, so revoking access immediately prevents new entries from being created under that project.

Users should update to 2.58.0 or newer.

Credits

  • Reported by: Mitchell45
  • Patched by: kevinpapst

First reported in GitHub advisory: GHSA-c6w6-57jj-62vh

Top