THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-3q6q-26vg-v97x (medium) — Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects

[GHSA] GHSA-3q6q-26vg-v97x (medium) — Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects

highgithub_advisoriesPublished 2026-07-14

GHSA-3q6q-26vg-v97x Severity: medium CVE: CVE-2026-52821

Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects

### Summary

Kimai 2.56.0 contains an authenticated improper authorization vulnerability in the preset-project activity creation flow. A user with the generic `create_activity` permission, but without access to a target p

Indicators of compromise

Original source: https://github.com/advisories/GHSA-3q6q-26vg-v97x