Kimai: Login CSRF in the Timesheet Stop and Restart API Endpoints Allows Unauthorized State Changes
🔗 CVE IDs covered (1)
📋 Description
Summary
Kimai 2.56.0 contains authenticated cross-site request forgery issues in its timesheet state-changing API endpoints. The application reuses the browser's existing session for /api/* requests, and both the stop and restart operations are exposed through GET and PATCH routes that directly modify business state.
As a result, an attacker can trick a logged-in user into visiting a malicious page and cause unauthorized timesheet actions without the victim's consent. Depending on the endpoint, this can stop a running timesheet or create and start a new one from historical data.
Details
The issue affects at least the following API routes:
GET /api/timesheets/{id}/stopGET /api/timesheets/{id}/restart
Both routes are non-read-only operations but are still exposed as GET. In src/API/TimesheetController.php.
A PoC was provided, but removed for security reasons.
Impact
This vulnerability allows an attacker to trigger unauthorized business-state changes as a logged-in victim. In the validated stop case, a running timesheet can be stopped, affecting time tracking integrity and potentially availability of ongoing work tracking. In the restart case, a historical timesheet can be restarted and a new record can be created without the victim's knowledge.
These actions can corrupt time records, distort billing and reporting, interfere with approvals or audits, and create persistent database-side side effects. Because exploitation requires only that the victim visit a malicious page while authenticated, the attack barrier is low.
Solution
The GET routes were removed, both stop and restart are only available via PATCH.
See https://www.kimai.org/en/security/ghsa-r8vr-m544-qh4h for more information.
🎯 Affected products1
- composer/kimai/kimai:<= 2.57.0