THREAT OPS › Threat News › [GHSA] GHSA-vrr2-g9gh-c3jc (medium) — Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass
[GHSA] GHSA-vrr2-g9gh-c3jc (medium) — Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass
GHSA-vrr2-g9gh-c3jc Severity: medium CVE: CVE-2026-52820
Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass
## Summary
The Timesheet API `PATCH /api/timesheets/{id}` and `POST /api/timesheets` endpoints accept a user-supplied `project` ID and resolve it through a Symfony `EntityType` whose `query_builder` allows the submitted ID to satisfy th
Indicators of compromise
- CVE-2026-52820cve
- https://www.kimai.org/en/security/ghsa-vrr2-g9gh-c3jcurl
Original source: https://github.com/advisories/GHSA-vrr2-g9gh-c3jc