THREAT OPS › Threat News › [GHSA] GHSA-c6w6-57jj-62vh (medium) — Improper Authorization in Kimai Timesheet Restart and Duplicate Allows New Timesheets After Project Access Revocation
[GHSA] GHSA-c6w6-57jj-62vh (medium) — Improper Authorization in Kimai Timesheet Restart and Duplicate Allows New Timesheets After Project Access Revocation
GHSA-c6w6-57jj-62vh Severity: medium CVE: CVE-2026-52822
Improper Authorization in Kimai Timesheet Restart and Duplicate Allows New Timesheets After Project Access Revocation
### Summary
Kimai 2.56.0 contains an authenticated authorization bypass in the timesheet `restart` and `duplicate` workflows. After a user loses access to a project, the user can still derive a new timesheet from one of th
Indicators of compromise
- CVE-2026-52822cve
- https://www.kimai.org/en/security/ghsa-c6w6-57jj-62vhurl
Original source: https://github.com/advisories/GHSA-c6w6-57jj-62vh