Low severity3.3GHSA Advisory· Published May 8, 2026· Updated May 12, 2026

CVE-2026-41498

Description

Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage. This issue has been patched in version 2.54.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
kimai/kimaiPackagist	< 2.54.0	2.54.0

Affected products

Kimai/KimaiGHSA2 versions
< 2.54.0+ 1 more
- (no CPE)range: < 2.54.0
- cpe:2.3:a:kimai:kimai:*:*:*:*:*:*:*:*range: <2.54.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcmnvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-jv9x-w4gm-hwcmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-41498ghsaADVISORY
github.com/kimai/kimai/releases/tag/2.54.0nvdProductRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.214
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000