GHSA-3Q6Q-26VG-V97X

Vulnerability from github – Published: 2026-07-14 00:03 – Updated: 2026-07-14 00:03
VLAI
Summary
Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects
Details

Summary

Kimai 2.56.0 contains an authenticated improper authorization vulnerability in the preset-project activity creation flow. A user with the generic create_activity permission, but without access to a target project, can still create a new Activity under that unauthorized project by visiting the preset project creation route directly.

This is a persistent cross-project business-object creation issue. The attacker does not need permission to view or edit the target project and only needs to know a valid project.id.

Details

The issue affects the activity creation entry point that accepts a preset project identifier:

  • GET/POST /en/admin/activity/create/{project}
  • GET/POST /en/admin/project/create/{customer}

In src/Controller/ActivityController.php, the controller checks only the global capability to create activities and does not verify whether the current user is allowed to create an activity under the supplied Project object.

The form and repository path also preserve the preset project instead of rejecting it when the user lacks access. Because the preset project is merged into the candidate set, the final save operation can persist a new Activity under a project that is outside the attacker's authorized project scope.

The same logic applies to the src/Controller/ProjectController.php.

A PoC was provided, but removed for security reasons.

Impact

This vulnerability allows an authenticated user to inject new child business objects into projects outside their authorized scope. An attacker can pollute another team's project configuration, influence later timesheet selection and rate inheritance, and create conditions for downstream business abuse if other users start using the injected activity.

Solution

  • In ActivityController we now validate if the project can be edited with [IsGranted('edit', 'project')]
  • In ProjectController we now validate if if the customer can be edited with [IsGranted('edit', 'customer')]

See https://www.kimai.org/en/security/ghsa-3q6q-26vg-v97x

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.56.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "kimai/kimai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.57.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-14T00:03:42Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nKimai 2.56.0 contains an authenticated improper authorization vulnerability in the preset-project activity creation flow. A user with the generic `create_activity` permission, but without access to a target project, can still create a new `Activity` under that unauthorized project by visiting the preset project creation route directly.\n\nThis is a persistent cross-project business-object creation issue. The attacker does not need permission to view or edit the target project and only needs to know a valid `project.id`.\n\n### Details\n\nThe issue affects the activity creation entry point that accepts a preset project identifier:\n\n- `GET/POST /en/admin/activity/create/{project}`\n- `GET/POST /en/admin/project/create/{customer}`\n\nIn `src/Controller/ActivityController.php`, the controller checks only the global capability to create activities and does not verify whether the current user is allowed to create an activity under the supplied `Project` object.\n\nThe form and repository path also preserve the preset project instead of rejecting it when the user lacks access.  Because the preset project is merged into the candidate set, the final save operation can persist a new `Activity` under a project that is outside the attacker\u0027s authorized project scope.\n\nThe same logic applies to the `src/Controller/ProjectController.php`.\n\n*A PoC was provided, but removed for security reasons.*\n\n### Impact\n\nThis vulnerability allows an authenticated user to inject new child business objects into projects outside their authorized scope. An attacker can pollute another team\u0027s project configuration, influence later timesheet selection and rate inheritance, and create conditions for downstream business abuse if other users start using the injected activity.\n\n# Solution\n\n- In `ActivityController` we now validate if the project can be edited with `[IsGranted(\u0027edit\u0027, \u0027project\u0027)]`\n- In `ProjectController` we now validate if if the customer can be edited with `[IsGranted(\u0027edit\u0027, \u0027customer\u0027)]`\n\nSee https://www.kimai.org/en/security/ghsa-3q6q-26vg-v97x",
  "id": "GHSA-3q6q-26vg-v97x",
  "modified": "2026-07-14T00:03:42Z",
  "published": "2026-07-14T00:03:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-3q6q-26vg-v97x"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kimai/kimai"
    },
    {
      "type": "WEB",
      "url": "https://www.kimai.org/en/security/ghsa-3q6q-26vg-v97x"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…