Description

Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage. This issue has been patched in version 2.54.0.

INFO

Published Date :

2026-05-08T03:30:32.310Z

Last Modified :

2026-05-08T03:30:32.310Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-41498 vulnerability.

Vendors Products
Kimai
  • Kimai
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41498.

URL Resource
https://github.com/kimai/kimai/releases/tag/2.54.0 cve-icon cve-icon
https://github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcm cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact