GHSA-9G2Q-W3W2-VF7Q: Improper Authorization and IDOR in Kimai Timesheet Management
Vulnerability ID: GHSA-9G2Q-W3W2-VF7Q
CVSS Score: N/A
Published: 2026-05-06
Kimai versions prior to 2.56.0 contain an Improper Authorization vulnerability that functions as an Insecure Direct Object Reference (IDOR). The vulnerability exists in the TimesheetVoter component, which fails to verify team associations when processing authorization requests. This allows authenticated users with the ROLE_TEAMLEAD privilege to read, modify, or delete timesheets belonging to users in completely unrelated teams.
TL;DR
A missing team-scope check in the TimesheetVoter allows users with the ROLE_TEAMLEAD permission to manipulate timesheets outside their managed teams via API requests.
⚠️ Exploit Status: POC
Technical Details
- Advisory ID: GHSA-9G2Q-W3W2-VF7Q
- CVE ID: None assigned
- Vulnerability Type: Improper Authorization (IDOR)
- Affected Component: TimesheetVoter
- Attack Vector: Network
- Privileges Required: ROLE_TEAMLEAD
- CVSS v4.0: AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
Affected Systems
- Kimai (Packagist)
-
kimai/kimai: < 2.56.0 (Fixed in:
2.56.0)
Mitigation Strategies
- Upgrade Kimai to version 2.56.0
- Audit users with ROLE_TEAMLEAD
- Revoke global edit_other_timesheet and delete_other_timesheet permissions from ROLE_TEAMLEAD
Remediation Steps:
- Identify current Kimai version in use.
- Download and deploy Kimai 2.56.0 via Composer.
- Review assigned roles in the Kimai administrative interface.
- Monitor API logs for anomalous /api/timesheets/ requests.
References
Read the full report for GHSA-9G2Q-W3W2-VF7Q on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)