Vulnerability Description
Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage. This issue has been patched in version 2.54.0.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kimai | Kimai | < 2.54.0 |
Related Weaknesses (CWE)
References
- https://github.com/kimai/kimai/releases/tag/2.54.0ProductRelease Notes
- https://github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcmExploitVendor Advisory
- https://github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcmExploitVendor Advisory
FAQ
What is CVE-2026-41498?
CVE-2026-41498 is a vulnerability with a CVSS score of 3.3 (LOW). Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to a...
How severe is CVE-2026-41498?
CVE-2026-41498 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41498?
Check the references section above for vendor advisories and patch information. Affected products include: Kimai Kimai.