1. Home
2. Security
3. Kimai Advisory CVE-2026-40486

Affected versions

• Kimai versions <=2.52.0 are affected by this security issue
• The issue has been fixed in Kimai 2.53.0
• Severity: Medium
• The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-40486 to this issue

Description

Kimai contained an authorization flaw in the user preferences API. In affected versions, a standard user could update the restricted financial profile attributes hourly_rate and internal_rate, even though those values were not editable through the normal user interface.

This allowed unprivileged accounts to manipulate business-relevant values that influence future billing and financial calculations.

This issue was caused by the API accepting and persisting restricted preference values without enforcing the same permission checks as the GUI.

• The regular web form correctly hid these fields from users without the required permissions
• The preferences API still accepted direct PATCH requests for the same attributes
• An authenticated low-privilege user could change their own financial rates without administrator approval
• The resulting changes could affect future timesheets, invoicing, exports, and internal financial data

Solution

The API does not allow updating disabled user preferences.

Users should update to 2.53.0 or newer.

Credits

• Reported by: udaypali
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-qh43-xrjm-4ggp