GHSA-j5mc-p8qg-39j7: Kimai Favorite Timesheet Add and Remove Endpoints Allows Cross-User Bookmark Manipulation
Kimai 2.56.0 and earlier contain an authenticated improper authorization vulnerability in the favorite timesheet add and remove endpoints. A low-privileged user who knows another user's timesheet ID can add or remove that timesheet from the victim's favorite bookmark list without administrative privileges. This allows cross-user manipulation of favorite state, impacting data integrity but not directly exposing sensitive information.
AI Analysis
Technical Summary
Kimai versions prior to 2.57.0 have an improper authorization (IDOR) vulnerability in the endpoints GET /en/favorite/timesheet/add/{id} and GET /en/favorite/timesheet/remove/{id}. These endpoints accept a timesheet ID and require only the 'start_own_timesheet' permission but do not verify ownership of the timesheet by the authenticated user. The controller forwards the timesheet object to the favorite service, which derives the bookmark owner from the timesheet's user rather than the session user. This design flaw enables any authenticated user to manipulate another user's favorite/recent bookmark list by adding or removing victim-owned timesheets, causing cross-user business-state tampering without needing admin privileges.
Potential Impact
An authenticated low-privileged attacker can manipulate the favorite bookmark state of other users by adding or removing victim-owned timesheet entries. This can disrupt the victim's normal workflow by injecting or removing quick-entry favorites, impacting the integrity of user-specific business data. The vulnerability does not disclose sensitive data but allows reliable cross-user tampering of per-user favorite lists.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the affected endpoints to trusted users only or monitor for unusual favorite list modifications. Avoid sharing timesheet IDs publicly to reduce risk. Follow vendor updates for an official fix in versions 2.57.0 or later.
GHSA-j5mc-p8qg-39j7: Kimai Favorite Timesheet Add and Remove Endpoints Allows Cross-User Bookmark Manipulation
Description
Kimai 2.56.0 and earlier contain an authenticated improper authorization vulnerability in the favorite timesheet add and remove endpoints. A low-privileged user who knows another user's timesheet ID can add or remove that timesheet from the victim's favorite bookmark list without administrative privileges. This allows cross-user manipulation of favorite state, impacting data integrity but not directly exposing sensitive information.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Kimai versions prior to 2.57.0 have an improper authorization (IDOR) vulnerability in the endpoints GET /en/favorite/timesheet/add/{id} and GET /en/favorite/timesheet/remove/{id}. These endpoints accept a timesheet ID and require only the 'start_own_timesheet' permission but do not verify ownership of the timesheet by the authenticated user. The controller forwards the timesheet object to the favorite service, which derives the bookmark owner from the timesheet's user rather than the session user. This design flaw enables any authenticated user to manipulate another user's favorite/recent bookmark list by adding or removing victim-owned timesheets, causing cross-user business-state tampering without needing admin privileges.
Potential Impact
An authenticated low-privileged attacker can manipulate the favorite bookmark state of other users by adding or removing victim-owned timesheet entries. This can disrupt the victim's normal workflow by injecting or removing quick-entry favorites, impacting the integrity of user-specific business data. The vulnerability does not disclose sensitive data but allows reliable cross-user tampering of per-user favorite lists.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the affected endpoints to trusted users only or monitor for unusual favorite list modifications. Avoid sharing timesheet IDs publicly to reduce risk. Follow vendor updates for an official fix in versions 2.57.0 or later.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-j5mc-p8qg-39j7
- Osv Schema Version
- 1.4.0
- Aliases
- []
- Ecosystems
- ["Packagist"]
- Database Specific Severity
- LOW
- Cvss Version
- 4.0
Threat ID: 6a46ecb027e9c7971943c486
Added to database: 07/02/2026, 22:56:48 UTC
Last enriched: 07/02/2026, 23:06:27 UTC
Last updated: 07/02/2026, 23:06:27 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.