CVE-2026-28685 - Vulnerability Details

- Kimai: API invoice endpoint missing customer-level access control (IDOR)

Description

Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0.

Published: 2026-03-06

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Kimai’s API endpoint for retrieving invoices performs a role-based permission check for view_invoice but does not confirm that the requester’s assigned customer matches the invoice’s customer. Consequently, a user granted the ROLE_TEAMLEAD role—allowed to view invoices in general—can retrieve any invoice in the system, even those belonging to customers under different teams. This results in confidentiality leakage of sensitive billing information. The weakness corresponds to CWE‑285, indicating improper authorization checks.

Affected Systems

The affected product is Kimai by Kimai. All installations of Kimai released before version 2.51.0 are vulnerable, regardless of the specific minor patch level. Customers using the API endpoint directly (GET /api/invoices/{id}) on these versions should consider themselves exposed.

Risk and Exploitability

The CVSS score is 6.5, denoting moderate severity. EPSS is < 1%, suggesting a low probability of exploitation at the time of assessment, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a compromised or privileged user in the system who authenticates and makes direct API requests. No additional network or privilege escalation steps are required; the flaw can be exploited over any web connection that permits authenticated API calls.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

kimai

affected

Version	Status	Constraints
`< 2.51.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:kimai:kimai:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Kimai

100%

Version	Status	Scheme	Platform
`[0,2.51.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Kimai to version 2.51.0 or later on all instances, which adds the missing customer-level check.
Restart the web services to load the updated code.
Re‑evaluate role assignments, move users out of ROLE_TEAMLEAD to more restrictive roles, and enable logging of API invoice accesses to detect any residual misuse.

Generated by OpenCVE AI on April 17, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-v33r-r6h2-8wr7	Kimai's API invoice endpoint missing customer-level access control (IDOR)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f
https://github.com/kimai/kimai/releases/tag/2.51.0
https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7

History

Tue, 10 Mar 2026 20:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:kimai:kimai::::::::

Mon, 09 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kimai Kimai kimai
Vendors & Products		Kimai Kimai kimai

Fri, 06 Mar 2026 05:15:00 +0000

Type	Values Removed	Values Added
Description		Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0.
Title		Kimai: API invoice endpoint missing customer-level access control (IDOR)
Weaknesses		CWE-285
References		https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f https://github.com/kimai/kimai/releases/tag/2.51.0 https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Kimai Kimai

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-06T04:49:08.312Z

Updated: 2026-03-09T19:46:54.339Z

Reserved: 2026-03-02T21:43:19.927Z

Link: CVE-2026-28685

Vulnrichment

Updated: 2026-03-09T19:46:50.876Z

NVD

Status : Analyzed

Published: 2026-03-06T05:16:38.770

Modified: 2026-03-10T19:52:21.203

Link: CVE-2026-28685

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses

CWE-285

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object