Azureadtrent

**Name of the Vulnerable Software and Affected Versions** Kimai versions prior to 2.54.0 **Description** Team API endpoints in the TeamController.php file use the `#[IsGranted('edit team')]` attribute instead of `#[IsGranted('edit','team')]`. This causes the Symfony TeamVoter to abstain from voting, which removes entity-level ownership checks on team operations. Consequently, any user granted the `edit team` permission can modify any team, including membership, customer assignments, project assignments, and activity assignments, regardless of whether they are authorized to manage that specific team. This issue is exploitable if an administrator assigns the `edit team` permission to a lower-privilege role. **Recommendations** Update to version 2.54.0.