{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40486", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.114Z", "datePublished": "2026-04-17T22:35:53.543Z", "dateUpdated": "2026-04-20T14:56:51.165Z"}, "containers": {"cna": {"title": "Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate", "problemTypes": [{"descriptions": [{"cweId": "CWE-915", "lang": "en", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kimai/kimai/security/advisories/GHSA-qh43-xrjm-4ggp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kimai/kimai/security/advisories/GHSA-qh43-xrjm-4ggp"}, {"name": "https://github.com/kimai/kimai/releases/tag/2.53.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/kimai/kimai/releases/tag/2.53.0"}], "affected": [{"vendor": "kimai", "product": "kimai", "versions": [{"version": "< 2.53.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T22:35:53.543Z"}, "descriptions": [{"lang": "en", "value": "Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without checking the isEnabled() flag on preference objects. Although the hourly_rate and internal_rate fields are correctly marked as disabled for users lacking the hourly-rate role permission, the API ignores this restriction and saves the values directly. Any authenticated user can modify their own billing rates through this endpoint, resulting in unauthorized financial tampering affecting invoices and timesheet calculations. This issue has been fixed in version 2.53.0."}], "source": {"advisory": "GHSA-qh43-xrjm-4ggp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:42:34.303178Z", "id": "CVE-2026-40486", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:56:51.165Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40486", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:42:34.303178Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:42:35.651Z"}}], "cna": {"title": "Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate", "source": {"advisory": "GHSA-qh43-xrjm-4ggp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "kimai", "product": "kimai", "versions": [{"status": "affected", "version": "< 2.53.0"}]}], "references": [{"url": "https://github.com/kimai/kimai/security/advisories/GHSA-qh43-xrjm-4ggp", "name": "https://github.com/kimai/kimai/security/advisories/GHSA-qh43-xrjm-4ggp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kimai/kimai/releases/tag/2.53.0", "name": "https://github.com/kimai/kimai/releases/tag/2.53.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without checking the isEnabled() flag on preference objects. Although the hourly_rate and internal_rate fields are correctly marked as disabled for users lacking the hourly-rate role permission, the API ignores this restriction and saves the values directly. Any authenticated user can modify their own billing rates through this endpoint, resulting in unauthorized financial tampering affecting invoices and timesheet calculations. This issue has been fixed in version 2.53.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-915", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T22:35:53.543Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40486", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:56:51.165Z", "dateReserved": "2026-04-13T19:50:42.114Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T22:35:53.543Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kimai:kimai:*:*:*:*:*:*:*:*", "matchCriteriaId": "DAC5679C-F10E-4F6E-9FB9-E16578E062C3", "versionEndExcluding": "2.53.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without checking the isEnabled() flag on preference objects. Although the hourly_rate and internal_rate fields are correctly marked as disabled for users lacking the hourly-rate role permission, the API ignores this restriction and saves the values directly. Any authenticated user can modify their own billing rates through this endpoint, resulting in unauthorized financial tampering affecting invoices and timesheet calculations. This issue has been fixed in version 2.53.0."}], "id": "CVE-2026-40486", "lastModified": "2026-04-27T19:33:17.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T23:16:12.593", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/kimai/kimai/releases/tag/2.53.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/kimai/kimai/security/advisories/GHSA-qh43-xrjm-4ggp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-915"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.53.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "kimai", "source": "cna", "vendor": "kimai"}, "product": "kimai", "vendor": "kimai"}], "analysis": {"en": {"generated_at": "2026-04-18T08:51:30.515753+00:00", "value": {"mitigation_remediation": ["Upgrade Kimai to version 2.53.0 or later, which enforces the correct permission checks for hourly_rate and internal_rate preferences.", "Implement an additional enforcement layer that validates the isEnabled flag or the user\u2019s hourly\u2011rate role before accepting preference changes, to provide a defense\u2011in\u2011depth measure if an upgrade is delayed.", "Continuously monitor audit logs for changes to hourly_rate and internal_rate values and audit generated invoices for anomalies to detect potential misuse."], "summary": {"action": "Immediate patch", "impact": "Unauthorized modification of user billing rates leading to financial tampering"}, "threat_synthesis": {"affected_systems": "Versions of Kimai up to and including 2.52.0 are affected. The issue was resolved in version 2.53.0, which implements proper permission checks for these preferences.", "description_and_impact": "Kimai\u2019s User Preferences API endpoint PATCH /api/users/{id}/preferences does not honor the isEnabled flag on certain preference objects. Because the hourly_rate and internal_rate preferences are correctly marked as disabled for users lacking the hourly\u2011rate role, the API nevertheless accepts and stores values sent for these fields. Any authenticated user can therefore alter their own billing rates, which are subsequently used in invoice generation and timesheet calculations. The vulnerability is a classic instance of a permission enforcement bypass, classified as CWE\u2011915.", "risk_and_exploitability": "The CVSS score of 4.3 places this vulnerability in the low\u2011to\u2011medium severity range. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attack requires authentication and access to the API, so an attacker must be a legitimate user of the application. While the impact is confined to the affected user\u2019s own invoices and payroll calculations, it can cause significant financial inaccuracies if abused."}}}}, "created": "2026-04-18T00:00:09.223994+00:00", "updated": "2026-04-18T09:00:05.894590+00:00", "vendors": ["kimai", "kimai$PRODUCT$kimai"]}