CVE-2026-52821

MEDIUMPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects

Summary

Kimai 2.56.0 contains an authenticated improper authorization vulnerability in the preset-project activity creation flow. A user with the generic create_activity permission, but without access to a target project, can still create a new Activity under that unauthorized project by visiting the preset project creation route directly.

This is a persistent cross-project business-object creation issue. The attacker does not need permission to view or edit the target project and only needs to know a valid project.id.

Details

The issue affects the activity creation entry point that accepts a preset project identifier:

  • GET/POST /en/admin/activity/create/{project}
  • GET/POST /en/admin/project/create/{customer}

In src/Controller/ActivityController.php, the controller checks only the global capability to create activities and does not verify whether the current user is allowed to create an activity under the supplied Project object.

The form and repository path also preserve the preset project instead of rejecting it when the user lacks access. Because the preset project is merged into the candidate set, the final save operation can persist a new Activity under a project that is outside the attacker's authorized project scope.

The same logic applies to the src/Controller/ProjectController.php.

*A PoC was provided, but removed for security reasons.*

Impact

This vulnerability allows an authenticated user to inject new child business objects into projects outside their authorized scope. An attacker can pollute another team's project configuration, influence later timesheet selection and rate inheritance, and create conditions for downstream business abuse if other users start using the injected activity.

Solution

  • In ActivityController we now validate if the project can be edited with [IsGranted('edit', 'project')]
  • In ProjectController we now validate if if the customer can be edited with [IsGranted('edit', 'customer')]

See https://www.kimai.org/en/security/ghsa-3q6q-26vg-v97x

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

July 14, 2026

Last Modified

July 14, 2026

Vendor Advisories for CVE-2026-52821(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 1× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-14 00:09 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-52821?
CVE-2026-52821 is a medium vulnerability published on July 14, 2026. Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects Summary Kimai 2.56.0 contains an authenticated improper authorization vulnerability in the preset-project activity creation flow. A user with the generic create_activity…
When was CVE-2026-52821 disclosed?
CVE-2026-52821 was first published in the National Vulnerability Database on July 14, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-52821?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-52821, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-52821

Explore →

Is Your Infrastructure Affected by CVE-2026-52821?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.