CVE-2026-52822

MEDIUMPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Improper Authorization in Kimai Timesheet Restart and Duplicate Allows New Timesheets After Project Access Revocation

Summary

Kimai 2.56.0 contains an authenticated authorization bypass in the timesheet restart and duplicate workflows. After a user loses access to a project, the user can still derive a new timesheet from one of their historical entries and create a new record under that now-unauthorized project and activity combination.

This is a permission revocation bypass with persistent write impact. The issue affects both restart and duplicate, which trust ownership of an old timesheet more than the user's current access to the underlying project, activity, and customer.

Details

The issue affects the following operations:

  • PATCH /api/timesheets/{id}/restart
  • PATCH /api/timesheets/{id}/duplicate

The root cause is that authorization gives too much weight to the fact that the original timesheet belongs to the current user. In src/Voter/TimesheetVoter.php, the *_own_timesheet branch is evaluated before team-based access checks.

The restart/duplicate capability check also verifies only object visibility, not whether the current user still has team-based access to the referenced objects.

In src/API/TimesheetController.php, the restart flow copies the historical project and activity into a new candidate timesheet.

The duplicate flow similarly clones the historical record and saves it.

In src/Timesheet/TimesheetService.php, creation of a new running entry still relies on isGranted('start', $timesheet).

For historical entries that belong to the current user, this logic can still succeed through the *_own_timesheet branch even after project access has been revoked. As a result, normal creation pages correctly stop offering the revoked project, but restart and duplicate can still create new records under it.

The same weakness also affects the Web duplicate flow because the UI path ultimately calls the same save logic in src/Controller/TimesheetAbstractController.php:

*A PoC was provided, but removed for security reasons.*

Impact

This vulnerability allows a user to keep writing new time entries into a project after project access has been revoked. That undermines administrative access-control changes and can pollute project time tracking, budget calculations, statistics, reports, and invoicing workflows.

Because both restart and duplicate can reuse historical project/activity bindings, old timesheet records effectively become reusable capability tokens that survive later access-control changes. This is not a UI artifact or a caching problem: new database rows are persisted after revocation.

Solution

The metoid TimesheetVoter::canStart() now checks team access for project and activity. This verification is used for new timesheets and also for the duplication and restart workflows.

See https://www.kimai.org/en/security/ghsa-c6w6-57jj-62vh for more information.

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

July 14, 2026

Last Modified

July 14, 2026

Vendor Advisories for CVE-2026-52822(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 1× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-14 00:09 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-52822?
CVE-2026-52822 is a medium vulnerability published on July 14, 2026. Improper Authorization in Kimai Timesheet Restart and Duplicate Allows New Timesheets After Project Access Revocation Summary Kimai 2.56.0 contains an authenticated authorization bypass in the timesheet restart and duplicate workflows. After a user loses access to a project, the user can still…
When was CVE-2026-52822 disclosed?
CVE-2026-52822 was first published in the National Vulnerability Database on July 14, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-52822?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-52822, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-52822

Explore →

Is Your Infrastructure Affected by CVE-2026-52822?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.