CVE-2026-28685 in Kimai
Summary
by MITRE • 03/06/2026
Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/11/2026
The vulnerability identified as CVE-2026-28685 affects Kimai, a web-based time-tracking application designed for multi-user environments. This security flaw represents a critical authorization bypass that undermines the application's access control mechanisms. The issue stems from insufficient validation logic within the API endpoint responsible for retrieving invoice information, creating a pathway for unauthorized data access that directly violates fundamental security principles of least privilege and principle of least authority.
The technical implementation of this vulnerability resides in the GET /api/invoices/{id} endpoint where the application performs only role-based permission checks without verifying that the requesting user has legitimate access to the specific customer associated with the invoice being requested. Specifically, users holding the ROLE_TEAMLEAD permission can bypass customer-level access controls despite the system's intended multi-tenant architecture. This flaw allows malicious actors to enumerate and access invoices belonging to customers assigned to different teams, effectively breaking down the isolation boundaries that should exist between different customer data sets within the same application instance.
From an operational impact perspective, this vulnerability creates significant risks for organizations relying on Kimai for time-tracking and billing operations. The unauthorized access to customer-specific invoice data can lead to data breaches, privacy violations, and potential financial fraud. Attackers could exploit this weakness to gather sensitive billing information, customer details, and financial records belonging to other customers within the same system. The vulnerability essentially transforms the application's multi-tenant architecture into a single shared data pool, undermining the trust model that organizations expect from their time-tracking solutions.
The security implications extend beyond simple data exposure, as this vulnerability aligns with CWE-284 (Improper Access Control) and represents a classic case of insufficient authorization checks. From an ATT&CK framework perspective, this vulnerability maps to T1078 (Valid Accounts) and T1566 (Phishing) as attackers could leverage compromised team lead accounts to access unauthorized data, and T1041 (Exfiltration Over C2 Channel) if the data is subsequently exfiltrated. The lack of proper customer-level access validation creates a persistent risk that could be exploited by both internal and external threat actors, particularly in environments where multiple teams or customers share the same Kimai instance.
Organizations should immediately implement the patch released in version 2.51.0 to address this vulnerability, which includes enhanced access control logic that verifies user permissions at both role and customer levels. Additional mitigations should include monitoring for unauthorized API access patterns, implementing network-level restrictions on sensitive endpoints, and conducting thorough access control reviews. Security teams should also consider implementing automated scanning tools to identify similar authorization bypass vulnerabilities in other applications within their environment, as this type of flaw frequently occurs in complex multi-tenant systems where role-based and data-based access controls are not properly integrated. The vulnerability serves as a reminder of the critical importance of comprehensive access control validation in multi-user applications where data isolation is paramount for maintaining customer trust and regulatory compliance.