THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-vrr2-g9gh-c3jc (medium) — Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass

[GHSA] GHSA-vrr2-g9gh-c3jc (medium) — Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass

highgithub_advisoriesPublished 2026-07-13

GHSA-vrr2-g9gh-c3jc Severity: medium CVE: CVE-2026-52820

Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass

## Summary

The Timesheet API `PATCH /api/timesheets/{id}` and `POST /api/timesheets` endpoints accept a user-supplied `project` ID and resolve it through a Symfony `EntityType` whose `query_builder` allows the submitted ID to satisfy th

Indicators of compromise

Original source: https://github.com/advisories/GHSA-vrr2-g9gh-c3jc