CVE-2026-28685

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28685

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28685.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28685

Aliases

GHSA-v33r-r6h2-8wr7

Published

2026-03-06T04:49:08.312Z

Modified

2026-04-10T05:41:22.437390Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Kimai: API invoice endpoint missing customer-level access control (IDOR)

Details

Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based viewinvoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLETEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0.

Database specific

{
    "cwe_ids": [
        "CWE-285"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28685.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/kevinpapst/kimai2

Affected ranges

Type

GIT

Repo

https://github.com/kevinpapst/kimai2

Events

Introduced

Fixed

a0601c8cb28fed1cca19051a8272425069ab758f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.51.0"
        }
    ]
}

Affected versions

0.*

0.1

0.2

0.3

0.4

0.5

0.6

0.6.1

0.7

0.8

0.8.1

0.9

1.*

1.0

1.0.1

1.1

1.10

1.10.1

1.10.2

1.11

1.11.1

1.12

1.13

1.14

1.14.1

1.14.2

1.14.3

1.15

1.15.1

1.15.2

1.15.3

1.15.4

1.15.5

1.15.6

1.16

1.16.1

1.16.10

1.16.2

1.16.3

1.16.4

1.16.5

1.16.6

1.16.7

1.16.8

1.16.9

1.17

1.17.1

1.18

1.18.1

1.18.2

1.19

1.19.1

1.19.2

1.19.3

1.19.4

1.19.5

1.19.6

1.19.7

1.2

1.20

1.20.1

1.20.2

1.20.3

1.20.4

1.21.0

1.22.0

1.22.1

1.23.0

1.23.1

1.24.0

1.25.0

1.26.0

1.27.0

1.28.0

1.28.1

1.29.0

1.29.1

1.3

1.30.0

1.30.1

1.30.4

1.4

1.4.1

1.4.2

1.5

1.6

1.6.1

1.6.2

1.7

1.8

1.9

2.*

2.0.0

2.0.0-alpha

2.0.0-beta

2.0.0-beta-2

2.0.0-beta-3

2.0.0-rc-1

2.0.1

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.0.19

2.0.2

2.0.20

2.0.21

2.0.22

2.0.23

2.0.24

2.0.25

2.0.26

2.0.27

2.0.28

2.0.29

2.0.3

2.0.30

2.0.31

2.0.32

2.0.33

2.0.34

2.0.35

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.1.0

2.10.0

2.11.0

2.12.0

2.13.0

2.14.0

2.15.0

2.16.0

2.16.1

2.17.0

2.18.0

2.19.0

2.19.1

2.2.0

2.2.1

2.20.0

2.20.1

2.21.0

2.22.0

2.23.0

2.24.0

2.25.0

2.26.0

2.27.0

2.28.0

2.29.0

2.3.0

2.30.0

2.31.0

2.32.0

2.33.0

2.34.0

2.35.0

2.35.1

2.36.0

2.36.1

2.37.0

2.38.0

2.39.0

2.4.0

2.4.1

2.40.0

2.41.0

2.42.0

2.43.0

2.44.0

2.45.0

2.46.0

2.47.0

2.48.0

2.49.0

2.5.0

2.50.0

2.6.0

2.7.0

2.8.0

2.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28685.json"

Git / github.com/kimai/kimai