CVE-2026-28685 Overview
Kimai, a popular web-based multi-user time-tracking application, contains an improper authorization vulnerability (CWE-285) in its invoice API endpoint. Prior to version 2.51.0, the GET /api/invoices/{id} endpoint only validates role-based view_invoice permissions but fails to verify whether the requesting user has legitimate access to the invoice's associated customer. This authorization flaw allows any user with ROLE_TEAMLEAD privileges to access all invoices system-wide, including those belonging to customers assigned to other teams.
Critical Impact
Authenticated users with team lead privileges can bypass customer-level access controls to read confidential invoice data belonging to any customer in the system, potentially exposing sensitive financial information across organizational boundaries.
Affected Products
- Kimai versions prior to 2.51.0
- Kimai installations with multi-team configurations using ROLE_TEAMLEAD permissions
- Kimai API consumers accessing the /api/invoices/{id} endpoint
Discovery Timeline
- 2026-03-06 - CVE-2026-28685 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-28685
Vulnerability Analysis
This vulnerability represents a classic broken access control flaw where role-based permission checks are implemented without corresponding object-level authorization. The Kimai application correctly validates that a user possesses the view_invoice permission (granted automatically to users with ROLE_TEAMLEAD), but this verification alone is insufficient for a multi-tenant environment with customer-team associations.
The authorization logic fails to implement a critical second-layer check: verifying that the requesting user's team has a legitimate business relationship with the customer whose invoice is being accessed. This architectural oversight creates a horizontal privilege escalation scenario where team leads can traverse organizational boundaries to access invoice data they should not be able to view.
Root Cause
The root cause lies in incomplete authorization logic within the InvoiceController.php API handler. The controller relies solely on role-based access control (RBAC) without implementing attribute-based access control (ABAC) for customer ownership verification. When a user with ROLE_TEAMLEAD makes a request to retrieve an invoice, the system checks if the user has the view_invoice permission but does not evaluate whether the invoice's associated customer falls within the user's authorized scope.
Attack Vector
An attacker with legitimate ROLE_TEAMLEAD credentials can exploit this vulnerability by directly accessing the invoice API endpoint with arbitrary invoice IDs. The attack requires network access to the Kimai application and valid authentication credentials with team lead privileges. No user interaction is required, and the attacker can systematically enumerate invoice IDs to extract confidential data from all customers in the system.
The exploitation is straightforward: an authenticated team lead user simply issues GET requests to /api/invoices/{id} with sequential or guessed invoice identifiers. Each successful request returns full invoice details regardless of customer ownership, enabling bulk extraction of financial data across the entire organization.
use FOS\RestBundle\View\View;
use FOS\RestBundle\View\ViewHandlerInterface;
use OpenApi\Attributes as OA;
+use Symfony\Component\ExpressionLanguage\Expression;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Attribute\Route;
use Symfony\Component\Security\Http\Attribute\IsGranted;
Source: GitHub Commit a0601c8
The patch introduces Symfony Expression Language support to implement customer-level permission checks on invoice API access, ensuring users can only retrieve invoices for customers they are authorized to access.
Detection Methods for CVE-2026-28685
Indicators of Compromise
- Unusual volume of API requests to /api/invoices/{id} endpoints from team lead accounts
- Sequential or enumerated invoice ID access patterns from single user sessions
- API access logs showing team lead users retrieving invoices for customers outside their assigned teams
- Cross-team invoice data access that does not align with legitimate business operations
Detection Strategies
- Implement API request logging and analysis for /api/invoices/ endpoint access patterns
- Monitor for bulk or sequential invoice ID enumeration attempts from authenticated users
- Create alerting rules for team lead accounts accessing invoices associated with unassigned customers
- Review access logs correlating user team assignments with accessed customer invoice data
Monitoring Recommendations
- Enable detailed API audit logging for all invoice-related endpoints in Kimai
- Implement real-time monitoring for anomalous invoice access patterns by user role
- Configure alerts for team lead accounts with unusually high invoice retrieval activity
- Establish baseline metrics for normal invoice API access volumes per user role
How to Mitigate CVE-2026-28685
Immediate Actions Required
- Upgrade Kimai to version 2.51.0 or later immediately
- Audit API access logs to identify any potential exploitation of this vulnerability
- Review invoice access patterns for team lead accounts to detect unauthorized data access
- Consider temporarily restricting API access for ROLE_TEAMLEAD users until patching is complete
Patch Information
The vulnerability has been patched in Kimai version 2.51.0. The fix implements proper customer permission checks using Symfony Expression Language in the InvoiceController.php API handler, ensuring that users can only access invoices for customers within their authorized scope. Organizations should upgrade to version 2.51.0 or later by following the instructions in the Kimai 2.51.0 Release. For detailed technical information about the security fix, refer to the GitHub Security Advisory GHSA-v33r-r6h2-8wr7.
Workarounds
- Restrict ROLE_TEAMLEAD assignments to only trusted personnel while awaiting patch deployment
- Implement network-level access controls to limit API endpoint exposure
- Deploy a web application firewall (WAF) rule to monitor and rate-limit invoice API requests
- Consider temporarily disabling the invoice API endpoint if not business-critical until patching is complete
# Verify current Kimai version
php bin/console kimai:version
# Update Kimai to patched version
git fetch --all --tags
git checkout 2.51.0
composer install --no-dev --optimize-autoloader
php bin/console kimai:update
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
