Kimai - Open Source time-tracker Kimai
Login Start for free

User Preferences API allows standard users to modify: hourly_rate, internal_rate

  1. Home
  2. Security
  3. Kimai Advisory CVE-2026-40486

Affected versions

  • Affected versions: <=2.52.0
  • Patched version: 2.53.0
  • Advisory published: 14 Apr 2026

Severity

Severity: Medium

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-40486 to this issue.

Vulnerability

Kimai contained an authorization flaw in the user preferences API. In affected versions, a standard user could update the restricted financial profile attributes hourly_rate and internal_rate, even though those values were not editable through the normal user interface.

This allowed unprivileged accounts to manipulate business-relevant values that influence future billing and financial calculations.

Info

This issue was caused by the API accepting and persisting restricted preference values without enforcing the same permission checks as the GUI.

  • The regular web form correctly hid these fields from users without the required permissions
  • The preferences API still accepted direct PATCH requests for the same attributes
  • An authenticated low-privilege user could change their own financial rates without administrator approval
  • The resulting changes could affect future timesheets, invoicing, exports, and internal financial data

Solution

Users should update to 2.53.0 or newer.

Credits

  • Reported by: udaypali
  • Patched by: kevinpapst

First reported in GitHub advisory: GHSA-qh43-xrjm-4ggp

Top