THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-c6w6-57jj-62vh (medium) — Improper Authorization in Kimai Timesheet Restart and Duplicate Allows New Timesheets After Project Access Revocation

[GHSA] GHSA-c6w6-57jj-62vh (medium) — Improper Authorization in Kimai Timesheet Restart and Duplicate Allows New Timesheets After Project Access Revocation

highgithub_advisoriesPublished 2026-07-14

GHSA-c6w6-57jj-62vh Severity: medium CVE: CVE-2026-52822

Improper Authorization in Kimai Timesheet Restart and Duplicate Allows New Timesheets After Project Access Revocation

### Summary

Kimai 2.56.0 contains an authenticated authorization bypass in the timesheet `restart` and `duplicate` workflows. After a user loses access to a project, the user can still derive a new timesheet from one of th

Indicators of compromise

Original source: https://github.com/advisories/GHSA-c6w6-57jj-62vh