THREAT OPS › Threat News › [GHSA] GHSA-3q6q-26vg-v97x (medium) — Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects
[GHSA] GHSA-3q6q-26vg-v97x (medium) — Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects
GHSA-3q6q-26vg-v97x Severity: medium CVE: CVE-2026-52821
Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects
### Summary
Kimai 2.56.0 contains an authenticated improper authorization vulnerability in the preset-project activity creation flow. A user with the generic `create_activity` permission, but without access to a target p
Indicators of compromise
- CVE-2026-52821cve
- https://www.kimai.org/en/security/ghsa-3q6q-26vg-v97xurl
Original source: https://github.com/advisories/GHSA-3q6q-26vg-v97x