Team API Vulnerability in Kimai Open-Source Time Tracking Application
CVE-2026-41498

3.3LOW

Key Information:

Vendor: Kimai
Status: Kimai
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-41498?

The Kimai open-source time tracking application has a significant access control vulnerability in its Team API endpoints. Before version 2.54.0, these endpoints incorrectly used #[IsGranted('edit_team')] instead of the more secure #[IsGranted('edit', 'team')]. This oversight allows users with the edit_team permission to modify any team, bypassing critical entity-level ownership checks. As a result, unauthorized users can manipulate teams they should not have access to, exposing sensitive data and compromising system integrity. Users are strongly advised to upgrade to version 2.54.0, where this vulnerability has been patched, ensuring better security and access control.

Affected Version(s)

kimai < 2.54.0

References

https://github.com/kimai/kimai/security/advisories/GHSA-j...

x_refsource_CONFIRM

https://github.com/kimai/kimai/releases/tag/2.54.0

x_refsource_MISC

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41498 Data

JSON