Vulnerability-Lookup

CVE-2026-28685 (GCVE-0-2026-28685)

Vulnerability from cvelistv5 – Published: 2026-03-06 04:49 – Updated: 2026-03-09 19:46

Title

Kimai: API invoice endpoint missing customer-level access control (IDOR)

Summary

Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-285 - Improper Authorization

Assigner

GitHub_M

References

URL

Tags

	https://github.com/kimai/kimai/security/advisorie…	x_refsource_CONFIRM
	https://github.com/kimai/kimai/commit/a0601c8cb28…	x_refsource_MISC
	https://github.com/kimai/kimai/releases/tag/2.51.0	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	kimai	kimai	Affected: < 2.51.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28685",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-09T19:46:43.839705Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-09T19:46:54.339Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kimai",
          "vendor": "kimai",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.51.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, \"GET /api/invoices/{id}\" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice\u0027s customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T04:49:08.312Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7"
        },
        {
          "name": "https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f"
        },
        {
          "name": "https://github.com/kimai/kimai/releases/tag/2.51.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kimai/kimai/releases/tag/2.51.0"
        }
      ],
      "source": {
        "advisory": "GHSA-v33r-r6h2-8wr7",
        "discovery": "UNKNOWN"
      },
      "title": "Kimai: API invoice endpoint missing customer-level access control (IDOR)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28685",
    "datePublished": "2026-03-06T04:49:08.312Z",
    "dateReserved": "2026-03-02T21:43:19.927Z",
    "dateUpdated": "2026-03-09T19:46:54.339Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-28685\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-06T05:16:38.770\",\"lastModified\":\"2026-03-10T19:52:21.203\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, \\\"GET /api/invoices/{id}\\\" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice\u0027s customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0.\"},{\"lang\":\"es\",\"value\":\"Kimai es una aplicaci\u00f3n de seguimiento de tiempo multiusuario basada en web. Antes de la versi\u00f3n 2.51.0, \u0027GET /API/invoices/{id}\u0027 solo verifica el permiso view_invoice basado en roles, pero no verifica que el usuario solicitante tenga acceso al cliente de la factura. Cualquier usuario con ROLE_TEAMLEAD (que otorga view_invoice) puede leer todas las facturas en el sistema, incluyendo aquellas que pertenecen a clientes asignados a otros equipos. Este problema ha sido parcheado en la versi\u00f3n 2.51.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kimai:kimai:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.51.0\",\"matchCriteriaId\":\"7EDBE56C-4861-486D-85FA-234F4CAA4437\"}]}]}],\"references\":[{\"url\":\"https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kimai/kimai/releases/tag/2.51.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28685\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-09T19:46:43.839705Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-09T19:46:50.876Z\"}}], \"cna\": {\"title\": \"Kimai: API invoice endpoint missing customer-level access control (IDOR)\", \"source\": {\"advisory\": \"GHSA-v33r-r6h2-8wr7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"kimai\", \"product\": \"kimai\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.51.0\"}]}], \"references\": [{\"url\": \"https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7\", \"name\": \"https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f\", \"name\": \"https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/kimai/kimai/releases/tag/2.51.0\", \"name\": \"https://github.com/kimai/kimai/releases/tag/2.51.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, \\\"GET /api/invoices/{id}\\\" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice\u0027s customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-285\", \"description\": \"CWE-285: Improper Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-06T04:49:08.312Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-28685\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-09T19:46:54.339Z\", \"dateReserved\": \"2026-03-02T21:43:19.927Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-06T04:49:08.312Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-V33R-R6H2-8WR7

Vulnerability from github – Published: 2026-03-04 20:43 – Updated: 2026-03-06 15:17

Summary

Kimai's API invoice endpoint missing customer-level access control (IDOR)

Details

Summary

GET /api/invoices/{id} only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams.

Affected Code

src/API/InvoiceController.php line 92-101:

#[IsGranted('view_invoice')]           // Role check only, no customer access check
#[Route(methods: ['GET'], path: '/{id}', name: 'get_invoice', requirements: ['id' => '\d+'])]
public function getAction(Invoice $invoice): Response
{
    $view = new View($invoice, 200);
    $view->getContext()->setGroups(self::GROUPS_ENTITY);
    return $this->viewHandler->handle($view);  // Returns ANY invoice by ID
}

The web controller (src/Controller/InvoiceController.php line 304-307) correctly checks customer access:

#[IsGranted('view_invoice')]
#[IsGranted(new Expression("is_granted('access', subject.getCustomer())"), 'invoice')]
public function downloadAction(Invoice $invoice, ...): Response { ... }

The access attribute in CustomerVoter (line 71-87) verifies team membership, but this check is entirely missing from the API endpoint.

PoC

Tested against Kimai v2.50.0 (Docker: kimai/kimai2:apache).

Setup: - TeamA with CustomerA ("SecretCorp"), TeamB with CustomerB ("BobCorp") - Bob is a teamlead in TeamB only - An invoice exists for SecretCorp (TeamA)

# Bob (TeamB) reads SecretCorp (TeamA) invoice
curl -H "Authorization: Bearer BOB_TOKEN" http://localhost:8888/api/invoices/1

Response (200 OK):

{
  "invoiceNumber": "INV-2026-001",
  "total": 15000.0,
  "currency": "USD",
  "customer": {"name": "SecretCorp", ...}
}

Bob can also enumerate all invoices via GET /api/invoices — the list endpoint uses setCurrentUser() in the query but the single-item endpoint bypasses this entirely via Symfony ParamConverter.

Impact

Any teamlead can read all invoices across the system regardless of team assignment. Invoice data typically contains sensitive financial information (amounts, customer details, payment terms). In multi-team deployments this breaks the intended data isolation between teams.

Suggested Fix

Add the customer access check to the API endpoint, matching the web controller:

 #[IsGranted('view_invoice')]
+#[IsGranted(new Expression("is_granted('access', subject.getCustomer())"), 'invoice')]
 #[Route(methods: ['GET'], path: '/{id}', name: 'get_invoice')]
 public function getAction(Invoice $invoice): Response

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.50.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "kimai/kimai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.51.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28685"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T20:43:17Z",
    "nvd_published_at": "2026-03-06T05:16:38Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`GET /api/invoices/{id}` only checks the role-based `view_invoice` permission but does not verify the requesting user has `access` to the invoice\u0027s customer. Any user with `ROLE_TEAMLEAD` (which grants `view_invoice`) can read all invoices in the system, including those belonging to customers assigned to other teams.\n\n## Affected Code\n\n`src/API/InvoiceController.php` line 92-101:\n\n```php\n#[IsGranted(\u0027view_invoice\u0027)]           // Role check only, no customer access check\n#[Route(methods: [\u0027GET\u0027], path: \u0027/{id}\u0027, name: \u0027get_invoice\u0027, requirements: [\u0027id\u0027 =\u003e \u0027\\d+\u0027])]\npublic function getAction(Invoice $invoice): Response\n{\n    $view = new View($invoice, 200);\n    $view-\u003egetContext()-\u003esetGroups(self::GROUPS_ENTITY);\n    return $this-\u003eviewHandler-\u003ehandle($view);  // Returns ANY invoice by ID\n}\n```\n\nThe web controller (`src/Controller/InvoiceController.php` line 304-307) correctly checks customer access:\n\n```php\n#[IsGranted(\u0027view_invoice\u0027)]\n#[IsGranted(new Expression(\"is_granted(\u0027access\u0027, subject.getCustomer())\"), \u0027invoice\u0027)]\npublic function downloadAction(Invoice $invoice, ...): Response { ... }\n```\n\nThe `access` attribute in `CustomerVoter` (line 71-87) verifies team membership, but this check is entirely missing from the API endpoint.\n\n## PoC\n\nTested against Kimai v2.50.0 (Docker: `kimai/kimai2:apache`).\n\nSetup:\n- TeamA with CustomerA (\"SecretCorp\"), TeamB with CustomerB (\"BobCorp\")\n- Bob is a teamlead in TeamB only\n- An invoice exists for SecretCorp (TeamA)\n\n```bash\n# Bob (TeamB) reads SecretCorp (TeamA) invoice\ncurl -H \"Authorization: Bearer BOB_TOKEN\" http://localhost:8888/api/invoices/1\n```\n\nResponse (200 OK):\n```json\n{\n  \"invoiceNumber\": \"INV-2026-001\",\n  \"total\": 15000.0,\n  \"currency\": \"USD\",\n  \"customer\": {\"name\": \"SecretCorp\", ...}\n}\n```\n\nBob can also enumerate all invoices via `GET /api/invoices` \u2014 the list endpoint uses `setCurrentUser()` in the query but the single-item endpoint bypasses this entirely via Symfony ParamConverter.\n\n## Impact\n\nAny teamlead can read all invoices across the system regardless of team assignment. Invoice data typically contains sensitive financial information (amounts, customer details, payment terms). In multi-team deployments this breaks the intended data isolation between teams.\n\n## Suggested Fix\n\nAdd the customer access check to the API endpoint, matching the web controller:\n\n```diff\n #[IsGranted(\u0027view_invoice\u0027)]\n+#[IsGranted(new Expression(\"is_granted(\u0027access\u0027, subject.getCustomer())\"), \u0027invoice\u0027)]\n #[Route(methods: [\u0027GET\u0027], path: \u0027/{id}\u0027, name: \u0027get_invoice\u0027)]\n public function getAction(Invoice $invoice): Response\n```",
  "id": "GHSA-v33r-r6h2-8wr7",
  "modified": "2026-03-06T15:17:08Z",
  "published": "2026-03-04T20:43:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28685"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kimai/kimai"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/releases/tag/2.51.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Kimai\u0027s API invoice endpoint missing customer-level access control (IDOR)"
}

FKIE_CVE-2026-28685

Vulnerability from fkie_nvd - Published: 2026-03-06 05:16 - Updated: 2026-03-10 19:52

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f	Patch
security-advisories@github.com	https://github.com/kimai/kimai/releases/tag/2.51.0	Product, Release Notes
security-advisories@github.com	https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	kimai	kimai	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:kimai:kimai:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7EDBE56C-4861-486D-85FA-234F4CAA4437",
              "versionEndExcluding": "2.51.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, \"GET /api/invoices/{id}\" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice\u0027s customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0."
    },
    {
      "lang": "es",
      "value": "Kimai es una aplicaci\u00f3n de seguimiento de tiempo multiusuario basada en web. Antes de la versi\u00f3n 2.51.0, \u0027GET /API/invoices/{id}\u0027 solo verifica el permiso view_invoice basado en roles, pero no verifica que el usuario solicitante tenga acceso al cliente de la factura. Cualquier usuario con ROLE_TEAMLEAD (que otorga view_invoice) puede leer todas las facturas en el sistema, incluyendo aquellas que pertenecen a clientes asignados a otros equipos. Este problema ha sido parcheado en la versi\u00f3n 2.51.0."
    }
  ],
  "id": "CVE-2026-28685",
  "lastModified": "2026-03-10T19:52:21.203",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-06T05:16:38.770",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/kimai/kimai/releases/tag/2.51.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-285"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-28685 (GCVE-0-2026-28685)

GHSA-V33R-R6H2-8WR7

Summary

Affected Code

PoC

Impact

Suggested Fix

FKIE_CVE-2026-28685

Tags

Sightings

Nomenclature