THREAT OPS › Threat News › [GHSA] GHSA-xv4r-4885-gwpg (medium) — Kimai has Improper Authorization in Team Member and Team Activity Assignment APIs Which Allows Expansion of Team Scope Beyond Authorized Visibility
[GHSA] GHSA-xv4r-4885-gwpg (medium) — Kimai has Improper Authorization in Team Member and Team Activity Assignment APIs Which Allows Expansion of Team Scope Beyond Authorized Visibility
GHSA-xv4r-4885-gwpg Severity: medium CVE: CVE-2026-52825
Kimai has Improper Authorization in Team Member and Team Activity Assignment APIs Which Allows Expansion of Team Scope Beyond Authorized Visibility
### Summary
Kimai contains an authenticated improper authorization vulnerability in Team-related assignment APIs. A Teamlead who can edit their own team can use backend API endpoints to add us
Indicators of compromise
- CVE-2026-52825cve
- https://www.kimai.org/en/security/ghsa-xv4r-4885-gwpgurl
Original source: https://github.com/advisories/GHSA-xv4r-4885-gwpg