PT-2026-60090 · Packagist · Kimai/Kimai
Published
2026-07-14
·
Updated
2026-07-14
·
CVE-2026-52823
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
Kimai 2.56.0 contains authenticated cross-site request forgery issues in its timesheet state-changing API endpoints. The application reuses the browser's existing session for
/api/* requests, and both the stop and restart operations are exposed through GET and PATCH routes that directly modify business state.As a result, an attacker can trick a logged-in user into visiting a malicious page and cause unauthorized timesheet actions without the victim's consent. Depending on the endpoint, this can stop a running timesheet or create and start a new one from historical data.
Details
The issue affects at least the following API routes:
GET /api/timesheets/{id}/stopGET /api/timesheets/{id}/restart
Both routes are non-read-only operations but are still exposed as
GET. In src/API/TimesheetController.php.A PoC was provided, but removed for security reasons.
Impact
This vulnerability allows an attacker to trigger unauthorized business-state changes as a logged-in victim. In the validated
stop case, a running timesheet can be stopped, affecting time tracking integrity and potentially availability of ongoing work tracking. In the restart case, a historical timesheet can be restarted and a new record can be created without the victim's knowledge.These actions can corrupt time records, distort billing and reporting, interfere with approvals or audits, and create persistent database-side side effects. Because exploitation requires only that the victim visit a malicious page while authenticated, the attack barrier is low.
Solution
The
GET routes were removed, both stop and restart are only available via PATCH.See https://www.kimai.org/en/security/ghsa-r8vr-m544-qh4h for more information.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kimai/Kimai