CVE-2026-52823: Kimai: Login CSRF in the Timesheet Stop and Restart API Endpoints Allows Unauthorized State Changes
Kimai 2.56.0 contains authenticated cross-site request forgery issues in its timesheet state-changing API endpoints. The application reuses the browser’s existing session for /api/* requests, and both the stop and restart operations are exposed through GET and PATCH routes that directly modify business state.
As a result, an attacker can trick a logged-in user into visiting a malicious page and cause unauthorized timesheet actions without the victim’s consent. Depending on the endpoint, this can stop a running timesheet or create and start a new one from historical data.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-52823 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →