Recently added

Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP

Two-factor authentication (TOTP) can be fully bypassed for the REST API. The KIMAI_SESSION cookie returned in the response to the login request; issued after only the password is verified, before the TOTP step; is already accepted as authenticated by every /api/* endpoint. So after submitting just the password, the web UI correctly holds the browser at the TOTP screen (/en/auth/2fa), but the cookie from that same login response can be …

Kimai: Login CSRF in the Timesheet Stop and Restart API Endpoints Allows Unauthorized State Changes

Kimai 2.56.0 contains authenticated cross-site request forgery issues in its timesheet state-changing API endpoints. The application reuses the browser's existing session for /api/* requests, and both the stop and restart operations are exposed through GET and PATCH routes that directly modify business state. As a result, an attacker can trick a logged-in user into visiting a malicious page and cause unauthorized timesheet actions without the victim's consent. Depending on the …

Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects

Kimai 2.56.0 contains an authenticated improper authorization vulnerability in the preset-project activity creation flow. A user with the generic create_activity permission, but without access to a target project, can still create a new Activity under that unauthorized project by visiting the preset project creation route directly. This is a persistent cross-project business-object creation issue. The attacker does not need permission to view or edit the target project and only needs …

Kimai: Improper Authorization in Project, Customer, and Activity Rate Edit Endpoints Allows Cross-Scope Rate Manipulation

Kimai 2.56.0 contains an authenticated improper authorization vulnerability in the Web rate editing flows for projects, customers, and activities. A user who can edit one authorized parent object can combine that authorized parent ID with the rate ID of a different, unauthorized parent object and thereby modify the unauthorized rate record. This affects ProjectRate, CustomerRate, and ActivityRate editing. The issue is caused by missing parent-child consistency validation and allows cross-project, …

Kimai: ExportTemplate CRUD Missing Authorization Check Allows Unauthorized TEAMLEAD Access

The ExportController web routes for creating and editing export templates are gated only by the class-level create_export permission, which is granted to ROLE_TEAMLEAD by default. The corresponding API routes and UI button visibility correctly require the stricter create_export_template permission, which is granted only to ROLE_ADMIN and ROLE_SUPER_ADMIN. A TEAMLEAD user can directly access the template create/edit routes to create or modify global export templates that are visible to all users …

Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover

The official Kimai Docker image ships with APP_SECRET=change_this_to_something_unique as the default environment variable. The Docker entrypoint does not override or validate this value. Any Kimai instance deployed using the Docker image without explicitly setting APP_SECRET runs with a publicly-known Symfony kernel.secret, enabling an unauthenticated attacker to forge HMAC-signed cookies and login links to take over any account including super_admin.

Kimai has Improper Authorization in Team Member and Team Activity Assignment APIs Which Allows Expansion of Team Scope Beyond Authorized Visibility

Kimai contains an authenticated improper authorization vulnerability in Team-related assignment APIs. A Teamlead who can edit their own team can use backend API endpoints to add users or activities that fall outside their intended visible or manageable scope, even when the frontend correctly hides those targets. This affects both team member assignment and team activity assignment. The issue is caused by treating "may edit this team" as equivalent to "may …

Improper Authorization in Kimai Timesheet Restart and Duplicate Allows New Timesheets After Project Access Revocation

Kimai 2.56.0 contains an authenticated authorization bypass in the timesheet restart and duplicate workflows. After a user loses access to a project, the user can still derive a new timesheet from one of their historical entries and create a new record under that now-unauthorized project and activity combination. This is a permission revocation bypass with persistent write impact. The issue affects both restart and duplicate, which trust ownership of an …

Recently updated

Two LiteLLM versions published containing credential harvesting malware

After an API Token exposure from an exploited trivy dependency, two new releases of litellm were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API. Anyone who has installed and run the project should assume any credentials available to litellm environment may have been exposed, and revoke/rotate thema ccordingly.