THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-pgcc-vfmc-7cw5 (medium) — Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes

[GHSA] GHSA-pgcc-vfmc-7cw5 (medium) — Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes

highgithub_advisoriesPublished 2026-07-13

GHSA-pgcc-vfmc-7cw5 Severity: medium CVE: CVE-2026-49992

Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes

### Summary

Kimai 2.56.0 contains authenticated cross-site request forgery issues in its default team creation shortcuts for projects, customers, and activities. These endpoints are exposed through `GET` routes and directly crea

Indicators of compromise

Original source: https://github.com/advisories/GHSA-pgcc-vfmc-7cw5