CSRF attack allowed tricking logged-in users into creating teams and changing access

Affected versions

Kimai versions <=2.57.0 are affected by this security issue
The issue has been fixed in Kimai 2.58.0
Severity: Medium
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-49992 to this issue

Description

Kimai’s shortcut for creating a default team could be triggered by a logged-in user opening a malicious web page, without that user meaning to. The hidden action would create or reuse a team, make the user its teamlead, and link a project, customer, or activity to that team, silently changing who has access to that data.

The issue affects the “create default team” shortcuts for projects, customers, and activities in the admin area.
These shortcuts were reachable through simple GET links, which a malicious web page can trigger automatically when a logged-in user visits it (a cross-site request forgery, or CSRF).
Once triggered, the action creates or reuses a team, adds the current user as its teamlead, and binds the target project, customer, or activity to that team.
This changes the authorization structure (who can see and manage the affected data), not a harmless personal setting, so the effects can reach into visibility rules, team-based access control, and reporting.
The user being tricked must already have permission to manage the permissions of the object in question, so the action runs with their existing access rights.
All Kimai installations (OnPremise and Cloud) are affected.

Solution

The affected shortcuts were removed as plain GET links and moved to API POST endpoints, which can’t be triggered by a victim opening a crafted web page.

Users should update to 2.58.0 or newer.

Credits

Reported by: Mitchell45
Patched by: kevinpapst

First reported in GitHub advisory: GHSA-pgcc-vfmc-7cw5