THREAT OPS › Threat News › [GHSA] GHSA-4m8q-55qv-9pwp (medium) — Kimai: Teamlead authorization bypass in GET /api/timesheets allows reading other users' timesheet records without being teamlead of the target
[GHSA] GHSA-4m8q-55qv-9pwp (medium) — Kimai: Teamlead authorization bypass in GET /api/timesheets allows reading other users' timesheet records without being teamlead of the target
GHSA-4m8q-55qv-9pwp Severity: medium CVE: CVE-2026-52819
Kimai: Teamlead authorization bypass in GET /api/timesheets allows reading other users' timesheet records without being teamlead of the target
## Summary
`GET /api/timesheets?user=<id>` (and `users[]=<id>`) returns the targeted user's timesheet records to any caller that has the `view_other_timesheet` permission, without verifying that th
Indicators of compromise
- CVE-2026-52819cve
- https://www.kimai.org/en/security/ghsa-4m8q-55qv-9pwpurl
Original source: https://github.com/advisories/GHSA-4m8q-55qv-9pwp