1. Home
2. Security
3. Kimai Advisory CVE-2026-28685

Affected versions

• Affected versions: <= 2.50.0
• Patched version: 2.51.0
• Advisory published: 04 Mar 2026

Severity

Severity: Medium

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-28685 to this issue.

Vulnerability

Kimai contained an insecure direct object reference in the API invoice endpoint. In affected versions, the single-invoice API endpoint checked only the general invoice permission and did not verify that the requesting user had access to the invoice customer.

As a result, users with invoice viewing permissions could access invoices that belonged to customers outside their own team scope.

Info

This issue affected customer-level access control for invoice retrieval through the API.

• The endpoint GET /api/invoices/{id} performed a role check but missed the customer access check
• Team-scoped users could retrieve invoices from other teams by ID
• Invoice data can contain sensitive customer and financial information
• The issue broke intended data isolation in multi-team installations

Solution

Users should update to 2.51.0 or newer.

Credits

• Reported by: CE2Sec
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-v33r-r6h2-8wr7