GHSA-V33R-R6H2-8WR7
Vulnerability from github – Published: 2026-03-04 20:43 – Updated: 2026-03-06 15:17
VLAI?
Summary
Kimai's API invoice endpoint missing customer-level access control (IDOR)
Details
Summary
GET /api/invoices/{id} only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams.
Affected Code
src/API/InvoiceController.php line 92-101:
#[IsGranted('view_invoice')] // Role check only, no customer access check
#[Route(methods: ['GET'], path: '/{id}', name: 'get_invoice', requirements: ['id' => '\d+'])]
public function getAction(Invoice $invoice): Response
{
$view = new View($invoice, 200);
$view->getContext()->setGroups(self::GROUPS_ENTITY);
return $this->viewHandler->handle($view); // Returns ANY invoice by ID
}
The web controller (src/Controller/InvoiceController.php line 304-307) correctly checks customer access:
#[IsGranted('view_invoice')]
#[IsGranted(new Expression("is_granted('access', subject.getCustomer())"), 'invoice')]
public function downloadAction(Invoice $invoice, ...): Response { ... }
The access attribute in CustomerVoter (line 71-87) verifies team membership, but this check is entirely missing from the API endpoint.
PoC
Tested against Kimai v2.50.0 (Docker: kimai/kimai2:apache).
Setup: - TeamA with CustomerA ("SecretCorp"), TeamB with CustomerB ("BobCorp") - Bob is a teamlead in TeamB only - An invoice exists for SecretCorp (TeamA)
# Bob (TeamB) reads SecretCorp (TeamA) invoice
curl -H "Authorization: Bearer BOB_TOKEN" http://localhost:8888/api/invoices/1
Response (200 OK):
{
"invoiceNumber": "INV-2026-001",
"total": 15000.0,
"currency": "USD",
"customer": {"name": "SecretCorp", ...}
}
Bob can also enumerate all invoices via GET /api/invoices — the list endpoint uses setCurrentUser() in the query but the single-item endpoint bypasses this entirely via Symfony ParamConverter.
Impact
Any teamlead can read all invoices across the system regardless of team assignment. Invoice data typically contains sensitive financial information (amounts, customer details, payment terms). In multi-team deployments this breaks the intended data isolation between teams.
Suggested Fix
Add the customer access check to the API endpoint, matching the web controller:
#[IsGranted('view_invoice')]
+#[IsGranted(new Expression("is_granted('access', subject.getCustomer())"), 'invoice')]
#[Route(methods: ['GET'], path: '/{id}', name: 'get_invoice')]
public function getAction(Invoice $invoice): Response
Severity ?
6.5 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.50.0"
},
"package": {
"ecosystem": "Packagist",
"name": "kimai/kimai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.51.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28685"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-04T20:43:17Z",
"nvd_published_at": "2026-03-06T05:16:38Z",
"severity": "MODERATE"
},
"details": "## Summary\n\n`GET /api/invoices/{id}` only checks the role-based `view_invoice` permission but does not verify the requesting user has `access` to the invoice\u0027s customer. Any user with `ROLE_TEAMLEAD` (which grants `view_invoice`) can read all invoices in the system, including those belonging to customers assigned to other teams.\n\n## Affected Code\n\n`src/API/InvoiceController.php` line 92-101:\n\n```php\n#[IsGranted(\u0027view_invoice\u0027)] // Role check only, no customer access check\n#[Route(methods: [\u0027GET\u0027], path: \u0027/{id}\u0027, name: \u0027get_invoice\u0027, requirements: [\u0027id\u0027 =\u003e \u0027\\d+\u0027])]\npublic function getAction(Invoice $invoice): Response\n{\n $view = new View($invoice, 200);\n $view-\u003egetContext()-\u003esetGroups(self::GROUPS_ENTITY);\n return $this-\u003eviewHandler-\u003ehandle($view); // Returns ANY invoice by ID\n}\n```\n\nThe web controller (`src/Controller/InvoiceController.php` line 304-307) correctly checks customer access:\n\n```php\n#[IsGranted(\u0027view_invoice\u0027)]\n#[IsGranted(new Expression(\"is_granted(\u0027access\u0027, subject.getCustomer())\"), \u0027invoice\u0027)]\npublic function downloadAction(Invoice $invoice, ...): Response { ... }\n```\n\nThe `access` attribute in `CustomerVoter` (line 71-87) verifies team membership, but this check is entirely missing from the API endpoint.\n\n## PoC\n\nTested against Kimai v2.50.0 (Docker: `kimai/kimai2:apache`).\n\nSetup:\n- TeamA with CustomerA (\"SecretCorp\"), TeamB with CustomerB (\"BobCorp\")\n- Bob is a teamlead in TeamB only\n- An invoice exists for SecretCorp (TeamA)\n\n```bash\n# Bob (TeamB) reads SecretCorp (TeamA) invoice\ncurl -H \"Authorization: Bearer BOB_TOKEN\" http://localhost:8888/api/invoices/1\n```\n\nResponse (200 OK):\n```json\n{\n \"invoiceNumber\": \"INV-2026-001\",\n \"total\": 15000.0,\n \"currency\": \"USD\",\n \"customer\": {\"name\": \"SecretCorp\", ...}\n}\n```\n\nBob can also enumerate all invoices via `GET /api/invoices` \u2014 the list endpoint uses `setCurrentUser()` in the query but the single-item endpoint bypasses this entirely via Symfony ParamConverter.\n\n## Impact\n\nAny teamlead can read all invoices across the system regardless of team assignment. Invoice data typically contains sensitive financial information (amounts, customer details, payment terms). In multi-team deployments this breaks the intended data isolation between teams.\n\n## Suggested Fix\n\nAdd the customer access check to the API endpoint, matching the web controller:\n\n```diff\n #[IsGranted(\u0027view_invoice\u0027)]\n+#[IsGranted(new Expression(\"is_granted(\u0027access\u0027, subject.getCustomer())\"), \u0027invoice\u0027)]\n #[Route(methods: [\u0027GET\u0027], path: \u0027/{id}\u0027, name: \u0027get_invoice\u0027)]\n public function getAction(Invoice $invoice): Response\n```",
"id": "GHSA-v33r-r6h2-8wr7",
"modified": "2026-03-06T15:17:08Z",
"published": "2026-03-04T20:43:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28685"
},
{
"type": "WEB",
"url": "https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f"
},
{
"type": "PACKAGE",
"url": "https://github.com/kimai/kimai"
},
{
"type": "WEB",
"url": "https://github.com/kimai/kimai/releases/tag/2.51.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Kimai\u0027s API invoice endpoint missing customer-level access control (IDOR)"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…