Kimai

Menu

• Product
  • Apps & Integrations
  • Demo
  • Blog
  • Support
  • About Kimai
  • Open Source
• Cloud
  • Pricing
  • Changelog
• Self hosting
  • Installation
  • Plugins
  • Forum
• Documentation
  • User manual
  • Cloud
  • Self hosting
  • Developer

English

• Català
• Čeština
• Deutsch
• English
• Español
• Français
• עברית
• Hrvatski
• Italiano
• Dutch
• Polski
• Português (Brasil)
• Slovenčina
• Svenska
• தமிழ்
• Українська
• 中文（繁體）

Start for free

1. Home
2. Security
3. Kimai Advisory CVE-2026-28685

Affected versions

• Kimai versions <= 2.50.0 are affected by this security issue
• The issue has been fixed in Kimai 2.51.0
• Severity: Medium
• The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-28685 to this issue

Description

Kimai contained an insecure direct object reference in the API invoice endpoint. In affected versions, the single-invoice API endpoint checked only the general invoice permission and did not verify that the requesting user had access to the invoice customer.

As a result, users with invoice viewing permissions could access invoices that belonged to customers outside their own team scope.

This issue affected customer-level access control for invoice retrieval through the API.

• The endpoint GET /api/invoices/{id} performed a role check but missed the customer access check
• Team-scoped users could retrieve invoices from other teams by ID
• Invoice data can contain sensitive customer and financial information
• The issue broke intended data isolation in multi-team installations

Solution

A permission checks was added to verify that customer access is also granted.

Users should update to 2.51.0 or newer.

Credits

• Reported by: CE2Sec
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-v33r-r6h2-8wr7