THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-xv4r-4885-gwpg (medium) — Kimai has Improper Authorization in Team Member and Team Activity Assignment APIs Which Allows Expansion of Team Scope Beyond Authorized Visibility

[GHSA] GHSA-xv4r-4885-gwpg (medium) — Kimai has Improper Authorization in Team Member and Team Activity Assignment APIs Which Allows Expansion of Team Scope Beyond Authorized Visibility

highgithub_advisoriesPublished 2026-07-14

GHSA-xv4r-4885-gwpg Severity: medium CVE: CVE-2026-52825

Kimai has Improper Authorization in Team Member and Team Activity Assignment APIs Which Allows Expansion of Team Scope Beyond Authorized Visibility

### Summary

Kimai contains an authenticated improper authorization vulnerability in Team-related assignment APIs. A Teamlead who can edit their own team can use backend API endpoints to add us

Indicators of compromise

Original source: https://github.com/advisories/GHSA-xv4r-4885-gwpg