CVE-2026-52828

MEDIUMPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Kimai: ExportTemplate CRUD Missing Authorization Check Allows Unauthorized TEAMLEAD Access

Summary

The ExportController web routes for creating and editing export templates are gated only by the class-level create_export permission, which is granted to ROLE_TEAMLEAD by default. The corresponding API routes and UI button visibility correctly require the stricter create_export_template permission, which is granted only to ROLE_ADMIN and ROLE_SUPER_ADMIN. A TEAMLEAD user can directly access the template create/edit routes to create or modify global export templates that are visible to all users including administrators.

Details

The ExportController applies the class-level annotation #[IsGranted('create_export')].

The createExportTemplate (line 210) and editExportTemplate (line 220) methods have no method-level #[IsGranted('create_export_template')] annotation. The permission hierarchy in config/packages/kimai.yaml:103,115,122-123 grants create_export to ROLE_TEAMLEAD via the EXPORT permission set, but create_export_template only to ROLE_ADMIN and ROLE_SUPER_ADMIN.

The API controller correctly requires create_export_template. The UI template (templates/export/index.html.twig:124) correctly hides the create button behind create_export_template. Only the web controller routes are missing the check.

ExportTemplate entities are global — they have no per-user or per-team scoping (src/Entity/ExportTemplate.php:19-56). Any template created or modified by a TEAMLEAD which is marked as "Available for all users" is visible to and usable by every user in the instance.

*A PoC was provided, but removed for security reasons.*

Impact

Any user with ROLE_TEAMLEAD can create and modify global export templates intended to be managed only by administrators. The templates control the structure and content of exported data (columns, renderer, format). While the impact is limited to data integrity manipulation of a non-security-critical resource (no RCE, no credential exposure), it violates the intended permission boundary and allows a lower-privileged user to influence the data output format used by all users including administrators.

Solution

The permission check #[IsGranted('create_export_template')] was added to the ExportController covering the methods createExportTemplate() and editExportTemplate.

See https://www.kimai.org/en/security/ghsa-rw46-qg69-vg6h for more details.

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

July 14, 2026

Last Modified

July 14, 2026

Vendor Advisories for CVE-2026-52828(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 1× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-14 00:49 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-52828?
CVE-2026-52828 is a medium vulnerability published on July 14, 2026. Kimai: ExportTemplate CRUD Missing Authorization Check Allows Unauthorized TEAMLEAD Access Summary The ExportController web routes for creating and editing export templates are gated only by the class-level createexport permission, which is granted to ROLETEAMLEAD by default. The corresponding API…
When was CVE-2026-52828 disclosed?
CVE-2026-52828 was first published in the National Vulnerability Database on July 14, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-52828?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-52828, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-52828

Explore →

Is Your Infrastructure Affected by CVE-2026-52828?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.