Kimai has Missing Object-Level Authorization in the Team API — CVE-2026-41498
GitHub · GitHub · CVE-2026-41498
ID
CVE-2026-41498
CVE-2026-41498
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
low
low
CVSS
3.3
3.3
EPSS
0.00023
0.00023
Summary
### Summary The Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage. ### Details All 8 team association endpoints in src/API/TeamController.php (lines…
Product
composer: kimai/kimai
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.