THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-2xgg-2x8h-8xw4 (medium) — Kimai: Improper Authorization in Project, Customer, and Activity Rate Edit Endpoints Allows Cross-Scope Rate Manipulation

[GHSA] GHSA-2xgg-2x8h-8xw4 (medium) — Kimai: Improper Authorization in Project, Customer, and Activity Rate Edit Endpoints Allows Cross-Scope Rate Manipulation

highgithub_advisoriesPublished 2026-07-14

GHSA-2xgg-2x8h-8xw4 Severity: medium CVE: CVE-2026-52826

Kimai: Improper Authorization in Project, Customer, and Activity Rate Edit Endpoints Allows Cross-Scope Rate Manipulation

### Summary

Kimai 2.56.0 contains an authenticated improper authorization vulnerability in the Web rate editing flows for projects, customers, and activities. A user who can edit one authorized parent object can combin

Indicators of compromise

Original source: https://github.com/advisories/GHSA-2xgg-2x8h-8xw4