Udaypali

**Name of the Vulnerable Software and Affected Versions** Kimai versions prior to 2.53.0 **Description** A Mass Assignment and Broken Object Property Level Authorization issue exists in the User Preferences API. The endpoint '/api/users/{id}/preferences' fails to check the `isEnabled()` flag on preference objects when applying submitted values. This allows any authenticated user to bypass role-based access controls and modify restricted financial attributes, specifically the `hourly rate` and `internal rate` variables, even if they lack the required `hourly-rate` role permission. This can lead to unauthorized financial tampering affecting invoices and timesheet calculations. **Recommendations** Update to version 2.53.0. As a temporary workaround, restrict access to the '/api/users/{id}/preferences' endpoint to minimize the risk of exploitation.