PT-2026-37123 · Kimai · Kimai

Azureadtrent

Published

2026-04-24

Updated

2026-05-12

CVE-2026-41498

CVSS v3.1

3.3

Low

Vector

AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Kimai versions prior to 2.54.0

Description Team API endpoints in the TeamController.php file use the #[IsGranted('edit team')] attribute instead of #[IsGranted('edit','team')]. This causes the Symfony TeamVoter to abstain from voting, which removes entity-level ownership checks on team operations. Consequently, any user granted the edit team permission can modify any team, including membership, customer assignments, project assignments, and activity assignments, regardless of whether they are authorized to manage that specific team. This issue is exploitable if an administrator assigns the edit team permission to a lower-privilege role.

Recommendations Update to version 2.54.0.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-41498

GHSA-JV9X-W4GM-HWCM

Affected Products

Kimai

PT-2026-37123 · Kimai · Kimai

CVE-2026-41498

Weakness Enumeration

Related Identifiers

Affected Products

References · 12