CVE-2026-52825

MEDIUMPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Kimai has Improper Authorization in Team Member and Team Activity Assignment APIs Which Allows Expansion of Team Scope Beyond Authorized Visibility

Summary

Kimai contains an authenticated improper authorization vulnerability in Team-related assignment APIs. A Teamlead who can edit their own team can use backend API endpoints to add users or activities that fall outside their intended visible or manageable scope, even when the frontend correctly hides those targets.

This affects both team member assignment and team activity assignment. The issue is caused by treating "may edit this team" as equivalent to "may attach any referenced object to this team", without performing a second authorization check on the target user or activity.

Details

The issue affects at least the following API routes:

  • POST /api/teams/{id}/members/{userId}
  • POST /api/teams/{id}/activities/{activityId}

In both cases, the backend checks whether the caller may edit the Team, but it does not verify whether the referenced User or Activity falls inside the caller's allowed management scope.

For team member assignment, the frontend form correctly limits the visible user choices. In src/Form/TeamEditForm.php, the team edit form uses UserType:

$builder->add('users', UserType::class, [
    'label' => 'add_user.label',
    'help' => 'team.add_user.help',
    'mapped' => false,
    'multiple' => false,
    'expanded' => false,
    'required' => false,
    'ignore_users' => $team !== null ? $team->getUsers() : []
]);

In src/Form/Type/UserType.php, the user selector is built from UserRepository::getQueryBuilderForFormType():

$query = new UserFormTypeQuery();
$query->setUser($options['user']);

$qb = $this->userRepository->getQueryBuilderForFormType($query); $users = $qb->getQuery()->getResult();

And in src/Repository/UserRepository.php, Teamlead-visible candidates are limited to team members from teams they lead:

if (null !== $user && $user->isTeamlead()) {
    $userIds = [];
    foreach ($user->getTeams() as $team) {
        if ($team->isTeamlead($user)) {
            foreach ($team->getUsers() as $teamMember) {
                $userIds[] = $teamMember->getId();
            }
        }
    }
    $userIds = array_unique($userIds);
    $qb->setParameter('teamMember', $userIds);
    $or->add($qb->expr()->in('u.id', ':teamMember'));
}

However, the actual member-assignment API does not reuse that restriction. In src/API/TeamController.php:

#[IsGranted('edit', 'team')]
#[Route(methods: ['POST'], path: '/{id}/members/{userId}', name: 'post_team_member', requirements: ['id' => '\d+', 'userId' => '\d+'])]
public function postMemberAction(Team $team, #[MapEntity(mapping: ['userId' => 'id'])] User $member): Response
{
    if ($member->isInTeam($team)) {
        throw new BadRequestHttpException('User is already member of the team');
    }

$team->addUser($member); $this->teamService->saveTeam($team); }

For activity assignment, the same pattern appears. In src/API/TeamController.php:

#[IsGranted('edit', 'team')]
#[Route(methods: ['POST'], path: '/{id}/activities/{activityId}', name: 'post_team_activity', requirements: ['id' => '\d+', 'activityId' => '\d+'])]
public function postActivityAction(Team $team, #[MapEntity(mapping: ['activityId' => 'id'])] Activity $activity, ActivityRepository $activityRepository): Response
{
    if ($team->hasActivity($activity)) {
        throw new BadRequestHttpException('Team has already access to activity');
    }

$team->addActivity($activity); $activityRepository->saveActivity($activity); }

The Team voter only checks whether the current user may edit that team, not whether the referenced object is within the Teamlead's legitimate scope. In src/Voter/TeamVoter.php:

if (!$user->isAdmin() && !$user->isSuperAdmin() && !$user->isTeamleadOf($subject)) {
    return false;
}

return $this->permissionManager->hasRolePermission($user, $attribute . '_team');

For activities, this is especially risky because later authorization logic may trust the team assignment that was just written. In src/Security/RolePermissionManager.php:

public function checkTeamAccessActivity(Activity $activity, User $user): bool
{
    if ($activity->getProject() !== null && !$this->checkTeamAccessProject($activity->getProject(), $user)) {
        return false;
    }

return $this->checkTeamAccess($activity->getTeams(), $user); }

So once a Teamlead is able to write a new team/activity relation, later access-control decisions may treat that relation as legitimate input.

*A PoC was provided, but removed for security reasons.*

Impact

This vulnerability allows a Teamlead to use their own editable team as an expansion container for objects that should remain outside their authorized scope. In the validated member-assignment case, the attacker can forcibly add users who are not supposed to be manageable through that Teamlead's visible range. In the activity-assignment case, the attacker can attach activities that are outside the intended authorization boundary of the team.

Once such relations are written, downstream authorization, visibility, and business workflows may start treating them as legitimate. This can affect user scoping, team-based access control, customer/project/activity visibility, time-entry behavior, statistics, and reporting. The issue therefore breaks the trustworthiness of Team as a security isolation container.

Solution

Several new permission checks were added to src/API/TeamController.php -

  • Check if user can be accessed with #[IsGranted('access_user', 'member')] before adding as new team member
  • Check if customer can be seen with #[IsGranted('view', 'customer')] before a team is granted access to a customer
  • Check if project can be seen with #[IsGranted('view', 'project')] before a team is granted access to a project
  • Check if activity can be seen with #[IsGranted('view', 'activity')] before a team is granted access to an activity

See https://www.kimai.org/en/security/ghsa-xv4r-4885-gwpg for more information.

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

July 14, 2026

Last Modified

July 14, 2026

Vendor Advisories for CVE-2026-52825(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 1× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-14 00:25 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-52825?
CVE-2026-52825 is a medium vulnerability published on July 14, 2026. Kimai has Improper Authorization in Team Member and Team Activity Assignment APIs Which Allows Expansion of Team Scope Beyond Authorized Visibility Summary Kimai contains an authenticated improper authorization vulnerability in Team-related assignment APIs. A Teamlead who can edit their own team…
When was CVE-2026-52825 disclosed?
CVE-2026-52825 was first published in the National Vulnerability Database on July 14, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-52825?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-52825, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-52825

Explore →

Is Your Infrastructure Affected by CVE-2026-52825?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.