CVE-2026-40486

Name of the Vulnerable Software and Affected Versions Kimai versions prior to 2.53.0

Description A Mass Assignment and Broken Object Property Level Authorization issue exists in the User Preferences API. The endpoint '/api/users/{id}/preferences' fails to check the isEnabled() flag on preference objects when applying submitted values. This allows any authenticated user to bypass role-based access controls and modify restricted financial attributes, specifically the hourly rate and internal rate variables, even if they lack the required hourly-rate role permission. This can lead to unauthorized financial tampering affecting invoices and timesheet calculations.

Recommendations Update to version 2.53.0. As a temporary workaround, restrict access to the '/api/users/{id}/preferences' endpoint to minimize the risk of exploitation.