Description
Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without checking the isEnabled() flag on preference objects. Although the hourly_rate and internal_rate fields are correctly marked as disabled for users lacking the hourly-rate role permission, the API ignores this restriction and saves the values directly. Any authenticated user can modify their own billing rates through this endpoint, resulting in unauthorized financial tampering affecting invoices and timesheet calculations. This issue has been fixed in version 2.53.0.
Published: 2026-04-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of user billing rates leading to financial tampering
Action: Immediate patch
AI Analysis

Impact

Kimai’s User Preferences API endpoint PATCH /api/users/{id}/preferences does not honor the isEnabled flag on certain preference objects. Because the hourly_rate and internal_rate preferences are correctly marked as disabled for users lacking the hourly‑rate role, the API nevertheless accepts and stores values sent for these fields. Any authenticated user can therefore alter their own billing rates, which are subsequently used in invoice generation and timesheet calculations. The vulnerability is a classic instance of a permission enforcement bypass, classified as CWE‑915.

Affected Systems

Versions of Kimai up to and including 2.52.0 are affected. The issue was resolved in version 2.53.0, which implements proper permission checks for these preferences.

Risk and Exploitability

The CVSS score of 4.3 places this vulnerability in the low‑to‑medium severity range. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attack requires authentication and access to the API, so an attacker must be a legitimate user of the application. While the impact is confined to the affected user’s own invoices and payroll calculations, it can cause significant financial inaccuracies if abused.

Generated by OpenCVE AI on April 18, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kimai to version 2.53.0 or later, which enforces the correct permission checks for hourly_rate and internal_rate preferences.
  • Implement an additional enforcement layer that validates the isEnabled flag or the user’s hourly‑rate role before accepting preference changes, to provide a defense‑in‑depth measure if an upgrade is delayed.
  • Continuously monitor audit logs for changes to hourly_rate and internal_rate values and audit generated invoices for anomalies to detect potential misuse.

Generated by OpenCVE AI on April 18, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qh43-xrjm-4ggp Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate
History

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 18 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Kimai
Kimai kimai
Vendors & Products Kimai
Kimai kimai

Fri, 17 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without checking the isEnabled() flag on preference objects. Although the hourly_rate and internal_rate fields are correctly marked as disabled for users lacking the hourly-rate role permission, the API ignores this restriction and saves the values directly. Any authenticated user can modify their own billing rates through this endpoint, resulting in unauthorized financial tampering affecting invoices and timesheet calculations. This issue has been fixed in version 2.53.0.
Title Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate
Weaknesses CWE-915
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Kimai Kimai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T14:56:51.165Z

Reserved: 2026-04-13T19:50:42.114Z

Link: CVE-2026-40486

cve-icon Vulnrichment

Updated: 2026-04-20T14:42:35.651Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T23:16:12.593

Modified: 2026-04-20T19:03:07.607

Link: CVE-2026-40486

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses