1. Home
2. Security
3. Kimai Advisory CVE-2026-41498

Affected versions

• Kimai versions < 2.54.0 are affected by this security issue
• The issue has been fixed in Kimai 2.54.0
• Severity: Low
• The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-41498 to this issue

Description

The Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage.

The team association endpoints in src/API/TeamController.php use #[IsGranted('edit_team')] with a single argument. The controller at src/Controller/TeamController.php correctly uses #[IsGranted('edit', 'team')] with two arguments, passing the requested Team as the subject.

When edit_team is passed as the attribute, TeamVoter::supportsAttribute() returns false because it only recognizes view, edit, and delete. The voter abstains entirely. Only RolePermissionVoter fires, which checks the role-level permission without any entity-level ownership validation.

In default configuration, only ROLE_ADMIN and ROLE_SUPER_ADMIN have edit_team, making the missing check less critical. The vulnerability becomes exploitable if an administrator grants edit_team to a lower-privilege role (such as ROLE_TEAMLEAD) through the permissions UI. In that scenario, the lower-privilege user could modify any team’s membership, customer assignments, project assignments, and activity assignments without being a member or teamlead of that team.

Solution

The Team API endpoints correctly use #[IsGranted('edit', 'team')] and #[IsGranted('delete', 'team')] syntax.

Users should update to 2.54.0 or newer.

Credits

• Reported by: AzureADTrent
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-jv9x-w4gm-hwcm