CVE-2026-28685

Name of the Vulnerable Software and Affected Versions Kimai versions prior to 2.51.0

Description Kimai is a web-based multi-user time-tracking application. The GET /api/invoices/{id} API endpoint only verifies the role-based view invoice permission but does not confirm that the requesting user has access to the invoice's customer. A user with the ROLE TEAMLEAD role, which grants view invoice permission, can access all invoices within the system, even those associated with customers assigned to different teams. The issue stems from the absence of a customer access check in the API endpoint, unlike the web controller which correctly implements this check. The vulnerable code is located in src/API/InvoiceController.php lines 92-101. The getCustomer() function within CustomerVoter verifies team membership, but this check is not applied to the API endpoint. A proof of concept demonstrates that a team lead from one team can read invoices belonging to customers of another team using a simple curl request to the affected API endpoint. This allows unauthorized access to sensitive financial information, such as invoice amounts, customer details, and payment terms, potentially compromising data isolation in multi-team deployments. The vulnerable parameter is id in the ''/api/invoices/{id}'' endpoint.

Recommendations Versions prior to 2.51.0 should be updated to version 2.51.0 or later. Add the customer access check to the API endpoint, mirroring the implementation in the web controller. Specifically, include the following expression in the getAction function of src/API/InvoiceController.php: #[IsGranted(new Expression("is granted('access', subject.getCustomer())"), 'invoice')].