CVE-2026-40486
MEDIUMKimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate
Title source: cnaDescription
Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without checking the isEnabled() flag on preference objects. Although the hourly_rate and internal_rate fields are correctly marked as disabled for users lacking the hourly-rate role permission, the API ignores this restriction and saves the values directly. Any authenticated user can modify their own billing rates through this endpoint, resulting in unauthorized financial tampering affecting invoices and timesheet calculations. This issue has been fixed in version 2.53.0.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/kimai/kimai/security/advisories/GHSA-qh43-xrjm-4ggp
X_Refsource_Misc x_refsource_misc
https://github.com/kimai/kimai/releases/tag/2.53.0
Scores
CVSS v3
4.3
EPSS
0.0027
EPSS Percentile
18.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-915
Status
published
Products (2)
kimai/kimai
< 2.53.0 (2 CPE variants)
kimai/kimai
0 - 2.53.0Packagist
Published
Apr 17, 2026
Tracked Since
Apr 18, 2026