GHSA-RW46-QG69-VG6H

Vulnerability from github – Published: 2026-07-14 00:34 – Updated: 2026-07-14 00:34
VLAI
Summary
Kimai: ExportTemplate CRUD Missing Authorization Check Allows Unauthorized TEAMLEAD Access
Details

Summary

The ExportController web routes for creating and editing export templates are gated only by the class-level create_export permission, which is granted to ROLE_TEAMLEAD by default. The corresponding API routes and UI button visibility correctly require the stricter create_export_template permission, which is granted only to ROLE_ADMIN and ROLE_SUPER_ADMIN. A TEAMLEAD user can directly access the template create/edit routes to create or modify global export templates that are visible to all users including administrators.

Details

The ExportController applies the class-level annotation #[IsGranted('create_export')].

The createExportTemplate (line 210) and editExportTemplate (line 220) methods have no method-level #[IsGranted('create_export_template')] annotation. The permission hierarchy in config/packages/kimai.yaml:103,115,122-123 grants create_export to ROLE_TEAMLEAD via the EXPORT permission set, but create_export_template only to ROLE_ADMIN and ROLE_SUPER_ADMIN.

The API controller correctly requires create_export_template. The UI template (templates/export/index.html.twig:124) correctly hides the create button behind create_export_template. Only the web controller routes are missing the check.

ExportTemplate entities are global — they have no per-user or per-team scoping (src/Entity/ExportTemplate.php:19-56). Any template created or modified by a TEAMLEAD which is marked as "Available for all users" is visible to and usable by every user in the instance.

A PoC was provided, but removed for security reasons.

Impact

Any user with ROLE_TEAMLEAD can create and modify global export templates intended to be managed only by administrators. The templates control the structure and content of exported data (columns, renderer, format). While the impact is limited to data integrity manipulation of a non-security-critical resource (no RCE, no credential exposure), it violates the intended permission boundary and allows a lower-privileged user to influence the data output format used by all users including administrators.

Solution

The permission check #[IsGranted('create_export_template')] was added to the ExportController covering the methods createExportTemplate() and editExportTemplate.

See https://www.kimai.org/en/security/ghsa-rw46-qg69-vg6h for more details.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.57.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "kimai/kimai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.58.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52828"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-14T00:34:03Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe `ExportController` web routes for creating and editing export templates are gated only by the class-level `create_export` permission, which is granted to `ROLE_TEAMLEAD` by default. The corresponding API routes and UI button visibility correctly require the stricter `create_export_template` permission, which is granted only to `ROLE_ADMIN` and `ROLE_SUPER_ADMIN`. A TEAMLEAD user can directly access the template create/edit routes to create or modify global export templates that are visible to all users including administrators.\n\n### Details\n\nThe `ExportController` applies the class-level annotation `#[IsGranted(\u0027create_export\u0027)]`.\n\nThe `createExportTemplate` (line 210) and `editExportTemplate` (line 220) methods have no method-level `#[IsGranted(\u0027create_export_template\u0027)]` annotation. The permission hierarchy in `config/packages/kimai.yaml:103,115,122-123` grants `create_export` to `ROLE_TEAMLEAD` via the `EXPORT` permission set, but `create_export_template` only to `ROLE_ADMIN` and `ROLE_SUPER_ADMIN`.\n\nThe API controller correctly requires `create_export_template`. The UI template (`templates/export/index.html.twig:124`) correctly hides the create button behind `create_export_template`. Only the web controller routes are missing the check.\n\n`ExportTemplate` entities are global \u2014 they have no per-user or per-team scoping (`src/Entity/ExportTemplate.php:19-56`). Any template created or modified by a TEAMLEAD which is marked as \"Available for all users\" is visible to and usable by every user in the instance.\n\n*A PoC was provided, but removed for security reasons.*\n\n### Impact\n\nAny user with `ROLE_TEAMLEAD` can create and modify global export templates intended to be managed only by administrators. The templates control the structure and content of exported data (columns, renderer, format). While the impact is limited to data integrity manipulation of a non-security-critical resource (no RCE, no credential exposure), it violates the intended permission boundary and allows a lower-privileged user to influence the data output format used by all users including administrators.\n\n# Solution\n\nThe permission check `#[IsGranted(\u0027create_export_template\u0027)]` was added to the `ExportController` covering the methods `createExportTemplate()` and `editExportTemplate`.\n\nSee [https://www.kimai.org/en/security/ghsa-rw46-qg69-vg6h](https://www.kimai.org/en/security/ghsa-rw46-qg69-vg6h) for more details.",
  "id": "GHSA-rw46-qg69-vg6h",
  "modified": "2026-07-14T00:34:03Z",
  "published": "2026-07-14T00:34:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-rw46-qg69-vg6h"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kimai/kimai"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kimai: ExportTemplate CRUD Missing Authorization Check Allows Unauthorized TEAMLEAD Access"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…