Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28685 is an Insecure Direct Object Reference (IDOR) vulnerability in the Kimai time-tracking software affecting the API invoice endpoint prior to version 2.51.0.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the GET /api/invoices/{id} endpoint only checks if the user has the role-based permission 'view_invoice' (typically granted to users with ROLE_TEAMLEAD) but does not verify whether the user has access rights to the customer associated with the invoice."}, {'type': 'paragraph', 'content': 'As a result, any user with the ROLE_TEAMLEAD role can access invoices belonging to customers assigned to other teams, bypassing intended data isolation and exposing sensitive invoice data.'}] [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthorized users with the ROLE_TEAMLEAD role to access all invoices in the system, including those of customers assigned to other teams.

The impact includes unauthorized disclosure of sensitive financial information such as invoice numbers, total amounts, currencies, customer details, and payment terms.

This breaks data isolation in multi-team deployments, potentially leading to confidentiality breaches and exposure of confidential business data.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing whether users with the ROLE_TEAMLEAD role can access invoices belonging to customers outside their assigned teams via the API endpoint GET /api/invoices/{id}.'}, {'type': 'paragraph', 'content': 'A practical approach is to attempt authorized GET requests to the invoice API endpoint using credentials of a user with ROLE_TEAMLEAD and verify if invoices from other customers are accessible.'}, {'type': 'paragraph', 'content': 'For example, using curl to test access:'}, {'type': 'list_item', 'content': 'curl -H "Authorization: Bearer <token>" https://<kimai-server>/api/invoices/<invoice_id>'}, {'type': 'paragraph', 'content': "If the response returns invoice data for customers not assigned to the user's team, the system is vulnerable."}, {'type': 'paragraph', 'content': 'Additionally, reviewing API logs for unexpected access patterns where team leads access invoices outside their teams can help detect exploitation.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation is to upgrade Kimai to version 2.51.0 or later, where the vulnerability has been patched by enforcing customer permission checks on invoice API endpoints.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, restrict access to the API endpoints for users with the ROLE_TEAMLEAD role or implement additional access controls to ensure users cannot access invoices outside their assigned customers.'}, {'type': 'paragraph', 'content': 'Review and apply the patch that adds permission checks in the InvoiceController API methods, specifically adding the Symfony security attribute to verify customer access.'}, {'type': 'list_item', 'content': 'Add the annotation #[IsGranted(new Expression("is_granted(\'access\', subject.getCustomer())"), \'invoice\')] to the API invoice controller methods.'}, {'type': 'paragraph', 'content': 'Monitor and audit API access logs for unauthorized invoice access attempts.'}] [1, 2, 3]

Useful 0 Not Useful 0