1. Home
2. Security
3. Kimai Advisory CVE-2026-52828

Affected versions

• Kimai versions <=2.57.0 are affected by this security issue
• The issue has been fixed in Kimai 2.58.0
• Severity: Low
• The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-52828 to this issue

Description

The web pages for creating and editing export templates didn’t enforce the administrator-only permission, so a team lead could open those pages directly and create or change templates meant for administrators. Because export templates are global, any change made this way could affect the data exports of every user in the instance.

• Affected feature: the web pages for creating and editing global export templates inside the Export section.
• Required access: an authenticated user with ROLE_TEAMLEAD. Users could visit the template create or edit URLs directly.
• Permission gap: the web routes only checked the broader “create export” permission (available to team leads), while the matching API endpoint and the UI button correctly required the stricter “create export template” permission reserved for administrators.
• Scope of impact: export templates aren’t tied to a user or team. A template marked as available for all users could be created or modified by a team lead and would then be visible to every user, including administrators. Templates control which columns, renderer, and format are used for exports — they don’t expose credentials and don’t allow code execution.
• All Kimai installations were affected.

Solution

The administrator-only permission check is now enforced on the web routes for creating and editing export templates, so team leads can no longer reach those forms directly.

Users should update to 2.58.0 or newer.

Credits

• Reported by: AzureADTrent
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-rw46-qg69-vg6h