CVE-2026-41498

low

Published 2026-05-08 · Modified 2026-05-12

CVSS v3

3.3

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

CVSS v2

—

VIR risk

3.3

Description

Kimai has Missing Object-Level Authorization in the Team API

Exploit likelihood

44%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcm

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/kimai/kimai/releases/tag/2.54.0

Ecosystem	Package	Vulnerable	Fixed
Packagist	kimai/kimai	`<2.54.0`	`2.54.0`
COMPOSER	kimai/kimai	`< 2.54.0`	`2.54.0`

Vendor	Product	Versions	Fixed
kimai	kimai	`{"endExcluding":"2.54.0"}`	`2.54.0`

CWE-862

Verify integrity in audit chain (admin only). AS-IS.