CVE-2026-40486 Overview
CVE-2026-40486 is an authorization bypass vulnerability in Kimai, an open-source time tracking application. The vulnerability exists in the User Preferences API endpoint (PATCH /api/users/{id}/preferences) which fails to properly validate the isEnabled() flag on preference objects before applying submitted values. This allows authenticated users to modify billing rate fields (hourly_rate and internal_rate) even when they lack the required hourly-rate role permission.
Critical Impact
Authenticated users can manipulate their own billing rates through the vulnerable API endpoint, leading to unauthorized financial tampering that affects invoices and timesheet calculations across the organization.
Affected Products
- Kimai versions 2.52.0 and below
Discovery Timeline
- 2026-04-17 - CVE-2026-40486 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-40486
Vulnerability Analysis
This vulnerability is classified as CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes), commonly known as mass assignment. The core issue lies in the User Preferences API endpoint's failure to enforce role-based access controls when processing preference updates.
Although the Kimai application correctly marks the hourly_rate and internal_rate fields as disabled for users without the hourly-rate role permission through the isEnabled() method, the API backend ignores this restriction entirely. When a PATCH request is made to /api/users/{id}/preferences, the endpoint processes and saves all submitted preference values without verifying whether the requesting user has authorization to modify each specific field.
This architectural flaw means that front-end UI restrictions provide no actual security protection, as any authenticated user can craft direct API requests to modify protected billing fields.
Root Cause
The root cause is a missing server-side authorization check in the User Preferences API controller. The application relies on the isEnabled() flag to control UI visibility but fails to enforce this same restriction at the API level when processing PATCH requests. The vulnerable code path applies preference values directly to the database without checking whether the authenticated user possesses the necessary role permissions for each field being modified.
Attack Vector
The vulnerability is exploitable over the network by any authenticated user. An attacker with valid Kimai credentials can send a crafted PATCH request to the /api/users/{id}/preferences endpoint, including unauthorized hourly_rate or internal_rate values. Since the attack requires only basic authentication and involves a straightforward API call, the barrier to exploitation is low.
The attack flow involves an authenticated user identifying the preferences API endpoint, crafting a PATCH request that includes the protected billing rate fields, and submitting the request directly to the API. The server processes the request without validating role permissions, resulting in modified billing rates that affect all future invoice and timesheet calculations.
Detection Methods for CVE-2026-40486
Indicators of Compromise
- Unexpected changes to user hourly_rate or internal_rate values in the database
- API access logs showing PATCH requests to /api/users/{id}/preferences from users without hourly-rate role permissions
- Discrepancies in invoice calculations or timesheet billing that cannot be explained by legitimate rate changes
- Audit log entries showing preference modifications by users who should not have billing rate access
Detection Strategies
- Monitor API logs for PATCH requests to the /api/users/{id}/preferences endpoint and correlate with user role permissions
- Implement database triggers or change auditing on billing rate fields to capture unauthorized modifications
- Review application logs for preference update operations and cross-reference with role-based access control policies
- Deploy API gateway rules to flag requests containing hourly_rate or internal_rate fields from users lacking appropriate permissions
Monitoring Recommendations
- Enable detailed logging for all API preference update operations including request payloads
- Configure alerts for billing rate changes outside of normal business workflows
- Implement periodic database audits comparing current billing rates against approved rate schedules
- Monitor for anomalous invoice amounts that may indicate rate manipulation
How to Mitigate CVE-2026-40486
Immediate Actions Required
- Upgrade Kimai to version 2.53.0 or later immediately
- Audit all user billing rates to identify any unauthorized modifications
- Review API access logs for suspicious preference update activity
- Temporarily restrict API access to the preferences endpoint if immediate patching is not possible
Patch Information
The Kimai development team has addressed this vulnerability in version 2.53.0. The fix implements proper server-side validation of the isEnabled() flag before applying preference values, ensuring that role-based access controls are enforced at the API level.
For detailed patch information, see the GitHub Release 2.53.0 and the GitHub Security Advisory GHSA-qh43-xrjm-4ggp.
Workarounds
- Implement a reverse proxy or API gateway rule to block PATCH requests containing hourly_rate or internal_rate fields
- Restrict API access to trusted administrative users until the patch can be applied
- Enable database-level constraints or triggers to prevent unauthorized billing rate modifications
- Review and tighten role assignments to minimize the number of authenticated users in the system
# Example: Block vulnerable API endpoint at reverse proxy (nginx)
location ~ ^/api/users/[0-9]+/preferences$ {
# Temporarily restrict to admin IPs only until patch is applied
allow 10.0.0.0/8;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
