CVE-2026-28685

Published March 6th, 2026

View on NVD ↗

CVSS v3

6.5

MEDIUM

CVSS v2

N/A

Affected

PROJECT

Description

Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0.

kimai/kimai

Kimai is the #1 open-source time-tracking application. From freelancers to companies and organisations - everyone can manage timesheets, generate reports, create invoices and so much more... Web-based multi-user application, available as On-Premise or SaaS version: https://www.kimai.org

GitHub

4.77K