1. Home
2. Security
3. Kimai Advisory CVE-2026-49992

Affected versions

• Kimai versions <=2.57.0 are affected by this security issue
• The issue has been fixed in Kimai 2.58.0
• Severity: Medium
• The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-49992 to this issue

Description

Kimai’s shortcut for creating a default team could be triggered by a logged-in user opening a malicious web page, without that user meaning to. The hidden action would create or reuse a team, make the user its teamlead, and link a project, customer, or activity to that team, silently changing who has access to that data.

• The issue affects the “create default team” shortcuts for projects, customers, and activities in the admin area.
• These shortcuts were reachable through simple GET links, which a malicious web page can trigger automatically when a logged-in user visits it (a cross-site request forgery, or CSRF).
• Once triggered, the action creates or reuses a team, adds the current user as its teamlead, and binds the target project, customer, or activity to that team.
• This changes the authorization structure (who can see and manage the affected data), not a harmless personal setting, so the effects can reach into visibility rules, team-based access control, and reporting.
• The user being tricked must already have permission to manage the permissions of the object in question, so the action runs with their existing access rights.
• All Kimai installations (OnPremise and Cloud) are affected.

Solution

The affected shortcuts were removed as plain GET links and moved to API POST endpoints, which can’t be triggered by a victim opening a crafted web page.

Users should update to 2.58.0 or newer.

Credits

• Reported by: Mitchell45
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-pgcc-vfmc-7cw5