PT-2026-60090 · Packagist · Kimai/Kimai

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-52823

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

Kimai 2.56.0 contains authenticated cross-site request forgery issues in its timesheet state-changing API endpoints. The application reuses the browser's existing session for /api/* requests, and both the stop and restart operations are exposed through GET and PATCH routes that directly modify business state.
As a result, an attacker can trick a logged-in user into visiting a malicious page and cause unauthorized timesheet actions without the victim's consent. Depending on the endpoint, this can stop a running timesheet or create and start a new one from historical data.

Details

The issue affects at least the following API routes:
  • GET /api/timesheets/{id}/stop
  • GET /api/timesheets/{id}/restart
Both routes are non-read-only operations but are still exposed as GET. In src/API/TimesheetController.php.
A PoC was provided, but removed for security reasons.

Impact

This vulnerability allows an attacker to trigger unauthorized business-state changes as a logged-in victim. In the validated stop case, a running timesheet can be stopped, affecting time tracking integrity and potentially availability of ongoing work tracking. In the restart case, a historical timesheet can be restarted and a new record can be created without the victim's knowledge.
These actions can corrupt time records, distort billing and reporting, interfere with approvals or audits, and create persistent database-side side effects. Because exploitation requires only that the victim visit a malicious page while authenticated, the attack barrier is low.

Solution

The GET routes were removed, both stop and restart are only available via PATCH.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-52823
GHSA-R8VR-M544-QH4H

Affected Products

Kimai/Kimai