1. Home
2. Security
3. Kimai Advisory CVE-2026-28685

Affected versions

• Kimai versions <= 2.50.0 are affected by this security issue
• The issue has been fixed in Kimai 2.51.0
• Severity: Medium
• The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-28685 to this issue

Description

Kimai contained an insecure direct object reference in the API invoice endpoint. In affected versions, the single-invoice API endpoint checked only the general invoice permission and did not verify that the requesting user had access to the invoice customer.

As a result, users with invoice viewing permissions could access invoices that belonged to customers outside their own team scope.

This issue affected customer-level access control for invoice retrieval through the API.

• The endpoint GET /api/invoices/{id} performed a role check but missed the customer access check
• Team-scoped users could retrieve invoices from other teams by ID
• Invoice data can contain sensitive customer and financial information
• The issue broke intended data isolation in multi-team installations

Solution

A permission checks was added to verify that customer access is also granted.

Users should update to 2.51.0 or newer.

Credits

• Reported by: CE2Sec
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-v33r-r6h2-8wr7