API access possible without completing two-factor authentication

Affected versions

Kimai versions < 2.58.0 are affected by this security issue
The issue has been fixed in Kimai 2.59.0
Severity: High
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-52827 to this issue

Description

A vulnerability in Kimai’s API authentication allowed users to access the REST API without completing the second step of two-factor authentication (2FA). Anyone who obtained a user’s password could gain full API access, bypassing the additional security that 2FA is designed to provide.

Affected area: Kimai’s REST API endpoints
Required to exploit: Knowledge of the user’s password
Affected deployments: All Kimai installations (OnPremise and Cloud) running versions before 2.58.0
Who is affected: Any user account with two-factor authentication enabled
Web interface: Not affected — the browser-based UI correctly enforced 2FA
Impact: An attacker with a stolen password could perform any API action as the compromised user, without needing the second factor (e.g., a TOTP code)

The official CVE is rated Medium because the attacker must already know the user’s password. While this does reduce the attack surface compared to an unauthenticated bypass, we rate this issue as High because defending against compromised passwords is the exact purpose of two-factor authentication.

Solution

Kimai’s API firewall was updated to verify that the full two-factor authentication process has been completed before granting API access. The API authorization now explicitly rejects sessions that are still in the 2FA step. Regression tests were added to prevent this issue from recurring.

Users should update to 2.59.0 or newer.

Credits

Reported by: shafiqaimanx from NetByteSec
Patched by: kevinpapst

First reported in GitHub advisory: GHSA-v8hx-4vx8-wc96