PT-2026-60095 · Packagist · Kimai/Kimai
CVE-2026-52828
·
Published
2026-07-14
·
Updated
2026-07-14
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
The
ExportController web routes for creating and editing export templates are gated only by the class-level create export permission, which is granted to ROLE TEAMLEAD by default. The corresponding API routes and UI button visibility correctly require the stricter create export template permission, which is granted only to ROLE ADMIN and ROLE SUPER ADMIN. A TEAMLEAD user can directly access the template create/edit routes to create or modify global export templates that are visible to all users including administrators.Details
The
ExportController applies the class-level annotation #[IsGranted('create export')].The
createExportTemplate (line 210) and editExportTemplate (line 220) methods have no method-level #[IsGranted('create export template')] annotation. The permission hierarchy in config/packages/kimai.yaml:103,115,122-123 grants create export to ROLE TEAMLEAD via the EXPORT permission set, but create export template only to ROLE ADMIN and ROLE SUPER ADMIN.The API controller correctly requires
create export template. The UI template (templates/export/index.html.twig:124) correctly hides the create button behind create export template. Only the web controller routes are missing the check.ExportTemplate entities are global — they have no per-user or per-team scoping (src/Entity/ExportTemplate.php:19-56). Any template created or modified by a TEAMLEAD which is marked as "Available for all users" is visible to and usable by every user in the instance.A PoC was provided, but removed for security reasons.
Impact
Any user with
ROLE TEAMLEAD can create and modify global export templates intended to be managed only by administrators. The templates control the structure and content of exported data (columns, renderer, format). While the impact is limited to data integrity manipulation of a non-security-critical resource (no RCE, no credential exposure), it violates the intended permission boundary and allows a lower-privileged user to influence the data output format used by all users including administrators.Solution
The permission check
#[IsGranted('create export template')] was added to the ExportController covering the methods createExportTemplate() and editExportTemplate.See https://www.kimai.org/en/security/ghsa-rw46-qg69-vg6h for more details.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kimai/Kimai