THREAT OPS › Threat News › [GHSA] GHSA-pgcc-vfmc-7cw5 (medium) — Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes
[GHSA] GHSA-pgcc-vfmc-7cw5 (medium) — Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes
GHSA-pgcc-vfmc-7cw5 Severity: medium CVE: CVE-2026-49992
Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes
### Summary
Kimai 2.56.0 contains authenticated cross-site request forgery issues in its default team creation shortcuts for projects, customers, and activities. These endpoints are exposed through `GET` routes and directly crea
Indicators of compromise
- CVE-2026-49992cve
- https://www.kimai.org/en/security/ghsa-pgcc-vfmc-7cw5url
Original source: https://github.com/advisories/GHSA-pgcc-vfmc-7cw5