1. Home
2. Security
3. Kimai Advisory CVE-2026-52823

Affected versions

• Kimai versions <=2.57.0 are affected by this security issue
• The issue has been fixed in Kimai 2.58.0
• Severity: Low
• The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-52823 to this issue

Description

Kimai exposed the stop and restart timesheet actions through simple GET URLs, which meant that e.g. a malicious website or email could trigger those actions on behalf of a user who was logged in to Kimai in the same browser. The attacker couldn’t read any data, but could stop a running time entry or start a new one from an older one without the user’s knowledge.

• Affected feature: the stop and restart timesheet API endpoints (GET /api/timesheets/{id}/stop and GET /api/timesheets/{id}/restart).
• Required access: the victim had to be authenticated in Kimai in the same browser and visit an attacker-controlled page. No special role was needed; the attacker acted with the victim’s own permissions.
• Trigger condition: because these state-changing actions were available as GET requests, they could be initiated by something as simple as loading an image or link from another site, which bypassed normal cross-site request protections.
• Possible impact: a running time entry could be stopped, or a new one created from a historical entry. Changes are written to the database like any other user action.
• All Kimai installations were affected.

Solution

The GET variants of the stop and restart endpoints have been removed. Both actions are now only available through PATCH requests, which can’t be triggered cross-site through a simple link or image.

Users should update to 2.58.0 or newer.

Credits

• Reported by: Mitchell45
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-r8vr-m544-qh4h