平台
php
组件
kimai
修复版本
2.53.1
2.53.0
CVE-2026-40486 describes a Broken Object Property Level Authorization (BOPA) vulnerability within the Kimai time tracking software. This flaw allows authenticated users, even those with limited privileges, to arbitrarily modify sensitive financial attributes on their user profiles, specifically the hourlyrate and internalrate. The vulnerability affects Kimai versions 1.0.0 up to, but not including, 2.53.0, and a fix is available in version 2.5.4.
The core impact of CVE-2026-40486 lies in the potential for unauthorized modification of financial data. An attacker, having successfully authenticated to the Kimai system, can leverage this BOPA vulnerability to alter their own hourly and internal rates. This could lead to inflated billing amounts, inaccurate project costing, and ultimately, financial losses for the organization. While the vulnerability requires authentication, the ease of exploitation – requiring only a valid user account – significantly broadens the attack surface. The blast radius is limited to the affected user's profile and associated billing records, but widespread exploitation could impact multiple users and projects.
As of the publication date (2026-04-17), CVE-2026-40486 is not listed on the CISA KEV catalog. The EPSS score is likely to be low to medium, given the requirement for authentication and the relatively limited scope of impact. Public proof-of-concept (PoC) code is currently unavailable, but the vulnerability's nature suggests it could be easily exploited once a PoC is developed.
Organizations utilizing Kimai for time tracking, particularly those with a large number of users or complex billing structures, are at risk. Specifically, deployments with relaxed role-based access controls or shared hosting environments where user privileges are not carefully managed are more vulnerable.
• php: Examine Kimai application logs for unusual API requests targeting the user profile modification endpoints (e.g., /api/user/preferences).
• generic web: Monitor access logs for POST requests to /api/user/preferences originating from authenticated users with limited privileges.
• generic web: Check Kimai configuration files for any misconfigured access controls related to user profile modification.
disclosure
漏洞利用状态
EPSS
0.01% (2% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-40486 is to upgrade Kimai to version 2.5.4 or later, which includes the necessary fix. If an immediate upgrade is not feasible, consider implementing stricter role-based access controls within Kimai to limit the number of users with the ability to modify financial attributes. Additionally, carefully review user profiles for any unusual rate changes. While a WAF or proxy cannot directly prevent this BOPA, it could be configured to monitor for suspicious API requests targeting the user profile modification endpoints. After upgrading, confirm the fix by attempting to modify the hourlyrate and internalrate fields with a user account lacking the hourly-rate role permission; these modifications should be denied.
Actualice Kimai a la versión 2.53.0 o superior para evitar que los usuarios estándar modifiquen las tarifas de facturación. Esta actualización corrige la vulnerabilidad al verificar correctamente las restricciones de permisos antes de guardar las preferencias del usuario.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-40486 is a Broken Object Property Level Authorization vulnerability in Kimai time tracking software, allowing authenticated users to modify financial attributes like hourly rates.
You are affected if you are using Kimai versions 1.0.0 through 2.53.0. Upgrade to 2.5.4 or later to mitigate the risk.
Upgrade Kimai to version 2.5.4 or later. As a temporary workaround, implement stricter role-based access controls.
There are currently no confirmed reports of active exploitation, but the vulnerability is considered potentially exploitable.
Refer to the official Kimai security advisory for detailed information and updates: [https://kimai.org/security/advisories](https://kimai.org/security/advisories)