Platform
php
Component
kimai
Fixed in
2.53.1
2.53.0
CVE-2026-40486 describes a Broken Object Property Level Authorization (BOPA) vulnerability within the Kimai time tracking software. This flaw allows authenticated users, even those with limited privileges, to arbitrarily modify sensitive financial attributes on their user profiles, specifically the hourlyrate and internalrate. The vulnerability affects Kimai versions 1.0.0 up to, but not including, 2.53.0, and a fix is available in version 2.5.4.
The core impact of CVE-2026-40486 lies in the potential for unauthorized modification of financial data. An attacker, having successfully authenticated to the Kimai system, can leverage this BOPA vulnerability to alter their own hourly and internal rates. This could lead to inflated billing amounts, inaccurate project costing, and ultimately, financial losses for the organization. While the vulnerability requires authentication, the ease of exploitation – requiring only a valid user account – significantly broadens the attack surface. The blast radius is limited to the affected user's profile and associated billing records, but widespread exploitation could impact multiple users and projects.
As of the publication date (2026-04-17), CVE-2026-40486 is not listed on the CISA KEV catalog. The EPSS score is likely to be low to medium, given the requirement for authentication and the relatively limited scope of impact. Public proof-of-concept (PoC) code is currently unavailable, but the vulnerability's nature suggests it could be easily exploited once a PoC is developed.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40486 is to upgrade Kimai to version 2.5.4 or later, which includes the necessary fix. If an immediate upgrade is not feasible, consider implementing stricter role-based access controls within Kimai to limit the number of users with the ability to modify financial attributes. Additionally, carefully review user profiles for any unusual rate changes. While a WAF or proxy cannot directly prevent this BOPA, it could be configured to monitor for suspicious API requests targeting the user profile modification endpoints. After upgrading, confirm the fix by attempting to modify the hourlyrate and internalrate fields with a user account lacking the hourly-rate role permission; these modifications should be denied.
Update Kimai to version 2.53.0 or higher to prevent standard users from modifying billing rates. This update fixes the vulnerability by correctly verifying permission restrictions before saving user preferences.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40486 is a Broken Object Property Level Authorization vulnerability in Kimai time tracking software, allowing authenticated users to modify financial attributes like hourly rates.
You are affected if you are using Kimai versions 1.0.0 through 2.53.0. Upgrade to 2.5.4 or later to mitigate the risk.
Upgrade Kimai to version 2.5.4 or later. As a temporary workaround, implement stricter role-based access controls.
There are currently no confirmed reports of active exploitation, but the vulnerability is considered potentially exploitable.
Refer to the official Kimai security advisory for detailed information and updates: [https://kimai.org/security/advisories](https://kimai.org/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.