CVE-2026-41498

EUVD-2026-28495
Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage. This issue has been patched in version 2.54.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.3 LOW
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
Affected Products (NVD)
VendorProductVersion
kimaikimai
𝑥
< 2.54.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/kimai/kimai/releases/tag/2.54.0
https://github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcm
https://github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcm