{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28685", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-02T21:43:19.927Z", "datePublished": "2026-03-06T04:49:08.312Z", "dateUpdated": "2026-03-09T19:46:54.339Z"}, "containers": {"cna": {"title": "Kimai: API invoice endpoint missing customer-level access control (IDOR)", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7"}, {"name": "https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f", "tags": ["x_refsource_MISC"], "url": "https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f"}, {"name": "https://github.com/kimai/kimai/releases/tag/2.51.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/kimai/kimai/releases/tag/2.51.0"}], "affected": [{"vendor": "kimai", "product": "kimai", "versions": [{"version": "< 2.51.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:49:08.312Z"}, "descriptions": [{"lang": "en", "value": "Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, \"GET /api/invoices/{id}\" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0."}], "source": {"advisory": "GHSA-v33r-r6h2-8wr7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T19:46:43.839705Z", "id": "CVE-2026-28685", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:46:54.339Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28685", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T19:46:43.839705Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:46:50.876Z"}}], "cna": {"title": "Kimai: API invoice endpoint missing customer-level access control (IDOR)", "source": {"advisory": "GHSA-v33r-r6h2-8wr7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kimai", "product": "kimai", "versions": [{"status": "affected", "version": "< 2.51.0"}]}], "references": [{"url": "https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7", "name": "https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f", "name": "https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/kimai/kimai/releases/tag/2.51.0", "name": "https://github.com/kimai/kimai/releases/tag/2.51.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, \"GET /api/invoices/{id}\" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:49:08.312Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28685", "state": "PUBLISHED", "dateUpdated": "2026-03-09T19:46:54.339Z", "dateReserved": "2026-03-02T21:43:19.927Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T04:49:08.312Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kimai:kimai:*:*:*:*:*:*:*:*", "matchCriteriaId": "7EDBE56C-4861-486D-85FA-234F4CAA4437", "versionEndExcluding": "2.51.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, \"GET /api/invoices/{id}\" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0."}, {"lang": "es", "value": "Kimai es una aplicaci\u00f3n de seguimiento de tiempo multiusuario basada en web. Antes de la versi\u00f3n 2.51.0, 'GET /API/invoices/{id}' solo verifica el permiso view_invoice basado en roles, pero no verifica que el usuario solicitante tenga acceso al cliente de la factura. Cualquier usuario con ROLE_TEAMLEAD (que otorga view_invoice) puede leer todas las facturas en el sistema, incluyendo aquellas que pertenecen a clientes asignados a otros equipos. Este problema ha sido parcheado en la versi\u00f3n 2.51.0."}], "id": "CVE-2026-28685", "lastModified": "2026-03-10T19:52:21.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T05:16:38.770", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/kimai/kimai/releases/tag/2.51.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.51.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "kimai", "source": "cna", "vendor": "kimai"}, "product": "kimai", "vendor": "kimai"}], "analysis": {"en": {"generated_at": "2026-04-17T12:24:55.003469+00:00", "value": {"mitigation_remediation": ["Upgrade Kimai to version\u00a02.51.0 or later on all instances, which adds the missing customer-level check.", "Restart the web services to load the updated code.", "Re\u2011evaluate role assignments, move users out of ROLE_TEAMLEAD to more restrictive roles, and enable logging of API invoice accesses to detect any residual misuse."], "summary": {"action": "Apply Patch", "impact": "Unauthorized access to invoice data via IDOR"}, "threat_synthesis": {"affected_systems": "The affected product is Kimai by Kimai. All installations of Kimai released before version 2.51.0 are vulnerable, regardless of the specific minor patch level. Customers using the API endpoint directly (GET\u00a0/api/invoices/{id}) on these versions should consider themselves exposed.", "description_and_impact": "Kimai\u2019s API endpoint for retrieving invoices performs a role-based permission check for view_invoice but does not confirm that the requester\u2019s assigned customer matches the invoice\u2019s customer. Consequently, a user granted the ROLE_TEAMLEAD role\u2014allowed to view invoices in general\u2014can retrieve any invoice in the system, even those belonging to customers under different teams. This results in confidentiality leakage of sensitive billing information. The weakness corresponds to CWE\u2011285, indicating improper authorization checks.", "risk_and_exploitability": "The CVSS score is 6.5, denoting moderate severity. EPSS is <\u00a01%, suggesting a low probability of exploitation at the time of assessment, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a compromised or privileged user in the system who authenticates and makes direct API requests. No additional network or privilege escalation steps are required; the flaw can be exploited over any web connection that permits authenticated API calls."}}}}, "created": "2026-03-06T14:55:42.346296+00:00", "updated": "2026-04-17T12:30:06.266109+00:00", "vendors": ["kimai", "kimai$PRODUCT$kimai"]}