CVE-2026-40486
Authorization Bypass in Kimai User Preferences Allows Billing Rate Tampering
Publication date: 2026-04-17
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kimai | kimai | to 2.53.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Kimai, an open-source time tracking application, in versions 2.52.0 and below. The issue is in the User Preferences API endpoint (PATCH /api/users/{id}/preferences), which applies submitted preference values without verifying if the preference is enabled. Specifically, although the hourly_rate and internal_rate fields are disabled for users without the hourly-rate role permission, the API ignores this and saves the values anyway.
As a result, any authenticated user can modify their own billing rates through this endpoint, leading to unauthorized financial tampering that affects invoices and timesheet calculations. This vulnerability was fixed in version 2.53.0.
How can this vulnerability impact me? :
This vulnerability allows any authenticated user to change their own billing rates without proper authorization. This unauthorized modification can lead to financial tampering, impacting the accuracy of invoices and timesheet calculations.
Such tampering could result in incorrect billing, potential financial losses for organizations, and undermine trust in the time tracking and billing system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Kimai to version 2.53.0 or later, where the issue has been fixed.
Until the upgrade can be applied, restrict access to the User Preferences API endpoint (PATCH /api/users/{id}/preferences) to trusted users only, and monitor for unauthorized changes to billing rates.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows any authenticated user to modify their own billing rates without proper authorization, leading to unauthorized financial tampering affecting invoices and timesheet calculations.
While the CVE description does not explicitly mention compliance with standards such as GDPR or HIPAA, unauthorized modification of financial data could potentially lead to non-compliance with regulations that require data integrity and accurate financial reporting.
Organizations using affected versions of Kimai should consider the risk of inaccurate billing data and its impact on regulatory compliance, especially in environments where financial data integrity is critical.