GHSA-r8vr-m544-qh4hMedium

Kimai: Login CSRF in the Timesheet Stop and Restart API Endpoints Allows Unauthorized State Changes

Published
July 14, 2026
Last Modified
July 14, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

Kimai 2.56.0 contains authenticated cross-site request forgery issues in its timesheet state-changing API endpoints. The application reuses the browser's existing session for /api/* requests, and both the stop and restart operations are exposed through GET and PATCH routes that directly modify business state.

As a result, an attacker can trick a logged-in user into visiting a malicious page and cause unauthorized timesheet actions without the victim's consent. Depending on the endpoint, this can stop a running timesheet or create and start a new one from historical data.

Details

The issue affects at least the following API routes:

  • GET /api/timesheets/{id}/stop
  • GET /api/timesheets/{id}/restart

Both routes are non-read-only operations but are still exposed as GET. In src/API/TimesheetController.php.

A PoC was provided, but removed for security reasons.

Impact

This vulnerability allows an attacker to trigger unauthorized business-state changes as a logged-in victim. In the validated stop case, a running timesheet can be stopped, affecting time tracking integrity and potentially availability of ongoing work tracking. In the restart case, a historical timesheet can be restarted and a new record can be created without the victim's knowledge.

These actions can corrupt time records, distort billing and reporting, interfere with approvals or audits, and create persistent database-side side effects. Because exploitation requires only that the victim visit a malicious page while authenticated, the attack barrier is low.

Solution

The GET routes were removed, both stop and restart are only available via PATCH.

See https://www.kimai.org/en/security/ghsa-r8vr-m544-qh4h for more information.

🎯 Affected products1

  • composer/kimai/kimai:<= 2.57.0

🔗 References (2)