Kimai - Open Source time-tracker Kimai
Start for free

Team leads could add users and activities to their team that were outside their allowed scope

  1. Home
  2. Security
  3. Kimai Advisory CVE-2026-52825

Affected versions

  • Kimai versions <=2.57.0 are affected by this security issue
  • The issue has been fixed in Kimai 2.58.0
  • Severity: Medium
  • The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-52825 to this issue

Description

A team lead with permission to edit their own team could call the API directly to add users, customers, projects, or activities that they weren’t allowed to manage through the regular interface. Because team membership influences who can see and work with which data, those additions could then expand access for the team lead beyond what an administrator intended.

  • Affected feature: the team management API endpoints used to add a member, customer, project, or activity to a team via POST /api/teams/{id}/<object>/{id}.
  • Required access: an authenticated user with ROLE_TEAMLEAD who already had edit access to at least one team.
  • Permission gap: the API only checked whether the caller could edit the team itself. It didn’t check whether the team lead was actually allowed to see or manage the user, customer, project, or activity being attached. The web interface correctly hid those choices in its selection lists, so this was reachable only through direct API calls.
  • Downstream impact: once an object is attached to a team, later access checks may trust that relation. A team lead could therefore widen their own visibility into users, customers, projects, or activities, which then influences time entries, statistics, reporting, and team-based access control.
  • All Kimai installations were affected.

Solution

The team assignment endpoints now perform a second permission check on the referenced object before the relation is saved. Adding a member requires access to that user, and attaching a customer, project, or activity requires view access to it, so team leads can no longer pull objects into their team that fall outside their authorized scope.

Users should update to 2.58.0 or newer.

Credits

  • Reported by: Mitchell45
  • Patched by: kevinpapst

First reported in GitHub advisory: GHSA-xv4r-4885-gwpg

Top