CVE-2026-41498 Overview
CVE-2026-41498 is a missing authorization vulnerability [CWE-862] in Kimai, an open-source time tracking application. The flaw exists in the Team API endpoints, which use the attribute #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')]. This mistake causes the Symfony TeamVoter to abstain from voting, removing entity-level ownership checks on team operations. Any authenticated user holding the edit_team permission can modify teams they do not own or manage. The vulnerability affects all Kimai versions prior to 2.54.0 and is patched in 2.54.0.
Critical Impact
Users with the edit_team permission can modify any team in the system, bypassing entity-level ownership checks intended to restrict edits to teams they manage.
Affected Products
- Kimai versions prior to 2.54.0
- Self-hosted Kimai deployments using the Team API
- Multi-team Kimai installations relying on team ownership boundaries
Discovery Timeline
- 2026-05-08 - CVE-2026-41498 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-41498
Vulnerability Analysis
Kimai uses Symfony's authorization system to enforce role and ownership checks on resources. The Team API endpoints were annotated with #[IsGranted('edit_team')], which checks only whether the requesting user holds the edit_team permission. The intended annotation, #[IsGranted('edit', 'team')], would have passed the team entity as the subject of the authorization decision. With the entity missing, the TeamVoter returns an abstain result and never evaluates whether the caller is the teamlead or owner of the specific team being modified.
The result is a broken access control condition. A user granted edit_team for their own teams can issue API requests against any team identifier and have those changes applied. This affects operations such as renaming teams, modifying member lists, and changing team-level settings exposed by the API.
Root Cause
The root cause is a coding error in the authorization attribute used on the Team API controller methods. Passing only the permission string instead of both the attribute and the subject entity disables the entity-aware voter logic. This is a classic instance of CWE-862 (Missing Authorization), where the application enforces role-level checks but omits the per-object ownership check.
Attack Vector
An authenticated user with the edit_team permission sends crafted requests to the Team API endpoints targeting team identifiers outside their authorized scope. Because the network attack vector requires valid high-privilege credentials and the exploitation conditions include knowing the target team identifiers, the practical risk is limited to environments where the edit_team permission is granted to non-administrative users. No public proof-of-concept or exploit has been published, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
The vulnerability does not require user interaction and does not produce code execution. Impact is limited to unauthorized modification of team data within the application.
Detection Methods for CVE-2026-41498
Indicators of Compromise
- API requests to Team endpoints where the authenticated user identifier does not match the teamlead or member list of the referenced team
- Unexpected changes to team names, members, or settings in the Kimai audit log
- HTTP PATCH or PUT requests to /api/teams/{id} from accounts without administrative roles
Detection Strategies
- Review Kimai application logs for Team API calls and correlate the acting user against the target team's ownership
- Enable verbose logging on Symfony security events to capture authorization decisions on team operations
- Compare current team configurations against a known-good baseline to identify unauthorized modifications
Monitoring Recommendations
- Forward Kimai web server and application logs to a centralized log platform for retention and search
- Alert on Team API write operations performed by non-administrator accounts
- Track Kimai version inventory to identify hosts still running releases prior to 2.54.0
How to Mitigate CVE-2026-41498
Immediate Actions Required
- Upgrade all Kimai instances to version 2.54.0 or later, which contains the corrected authorization attribute
- Audit which user roles are assigned the edit_team permission and restrict it to trusted administrators until patching is complete
- Review the team membership and configuration history for unauthorized changes made prior to patching
Patch Information
The issue is fixed in Kimai 2.54.0. The patch replaces #[IsGranted('edit_team')] with #[IsGranted('edit', 'team')] on the affected Team API endpoints, restoring entity-aware authorization through the Symfony TeamVoter. Release notes are available in the GitHub Release v2.54.0 and the GitHub Security Advisory GHSA-jv9x-w4gm-hwcm.
Workarounds
- Temporarily remove the edit_team permission from non-administrator roles until the upgrade to 2.54.0 is applied
- Restrict network access to the Team API endpoints using a reverse proxy or web application firewall rule
- Disable API access for accounts that do not require it as part of their workflow
# Upgrade Kimai to the patched release
cd /path/to/kimai
git fetch --tags
git checkout 2.54.0
composer install --no-dev --optimize-autoloader
bin/console kimai:update
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
