THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-4m8q-55qv-9pwp (medium) — Kimai: Teamlead authorization bypass in GET /api/timesheets allows reading other users' timesheet records without being teamlead of the target

[GHSA] GHSA-4m8q-55qv-9pwp (medium) — Kimai: Teamlead authorization bypass in GET /api/timesheets allows reading other users' timesheet records without being teamlead of the target

highgithub_advisoriesPublished 2026-07-13

GHSA-4m8q-55qv-9pwp Severity: medium CVE: CVE-2026-52819

Kimai: Teamlead authorization bypass in GET /api/timesheets allows reading other users' timesheet records without being teamlead of the target

## Summary

`GET /api/timesheets?user=<id>` (and `users[]=<id>`) returns the targeted user's timesheet records to any caller that has the `view_other_timesheet` permission, without verifying that th

Indicators of compromise

Original source: https://github.com/advisories/GHSA-4m8q-55qv-9pwp