3.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-41498

CVE-2026-41498: Kimai: Team API Missing Object-Level Authorization

Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage. This issue has been patched in version 2.54.0.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-41498

CVE-2026-41498:

3.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
kimai/kimai	composer	< 2.54.0	2.54.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the TeamController API due to a misconfiguration of the IsGranted security attribute in multiple methods responsible for team management. The vulnerable methods used #[IsGranted('edit_team')] or #[IsGranted('delete_team')], which only checks for a user's role-level permissions. It does not perform an object-level authorization check to verify if the user is actually a member or leader of the specific team they are trying to modify.

The Symfony TeamVoter is designed to perform this object-level check, but it only supports the attributes 'edit' and 'delete', not 'edit_team' or 'delete_team'. Consequently, the voter would abstain, and the authorization check would fall back to a simple role check, which is insufficient.

An attacker with the edit_team permission (which could be granted by an administrator to a non-admin role) could exploit this to modify the membership and permissions of any team in the system, not just the ones they manage. The patch corrects this by changing the attribute to #[IsGranted('edit', 'team')] or #[IsGranted('delete', 'team')], which correctly passes the team object to the TeamVoter for a proper ownership check.

Vulnerable functions

App\API\TeamController::deleteAction

src/API/TeamController.php

The function was protected by `#[IsGranted('delete_team')]`. This attribute only checks for the role-level permission 'delete_team' and does not pass the 'team' object to the voter. As a result, the `TeamVoter` abstains, and no object-level authorization (ownership check) is performed. This allows any user with the 'delete_team' permission to delete any team, not just the ones they are authorized to manage. The patch corrects this by using `#[IsGranted('delete', 'team')]`, which properly invokes the `TeamVoter` to perform ownership checks.

App\API\TeamController::patchAction

src/API/TeamController.php

The function was protected by `#[IsGranted('edit_team')]`. This attribute only checks for the role-level permission 'edit_team' and does not pass the 'team' object to the voter. As a result, the `TeamVoter` abstains, and no object-level authorization (ownership check) is performed. This allows any user with the 'edit_team' permission to modify any team, not just the ones they are authorized to manage. The patch corrects this by using `#[IsGranted('edit', 'team')]`, which properly invokes the `TeamVoter` to perform ownership checks.

App\API\TeamController::postMemberAction

src/API/TeamController.php

The function was protected by `#[IsGranted('edit_team')]`. This attribute only checks for the role-level permission 'edit_team' and does not pass the 'team' object to the voter. As a result, the `TeamVoter` abstains, and no object-level authorization (ownership check) is performed. This allows any user with the 'edit_team' permission to add a member to any team, not just the ones they are authorized to manage. The patch corrects this by using `#[IsGranted('edit', 'team')]`, which properly invokes the `TeamVoter` to perform ownership checks.

App\API\TeamController::deleteMemberAction

src/API/TeamController.php

The function was protected by `#[IsGranted('edit_team')]`. This attribute only checks for the role-level permission 'edit_team' and does not pass the 'team' object to the voter. As a result, the `TeamVoter` abstains, and no object-level authorization (ownership check) is performed. This allows any user with the 'edit_team' permission to remove a member from any team, not just the ones they are authorized to manage. The patch corrects this by using `#[IsGranted('edit', 'team')]`, which properly invokes the `TeamVoter` to perform ownership checks.

App\API\TeamController::postCustomerAction

src/API/TeamController.php

The function was protected by `#[IsGranted('edit_team')]`. This attribute only checks for the role-level permission 'edit_team' and does not pass the 'team' object to the voter. As a result, the `TeamVoter` abstains, and no object-level authorization (ownership check) is performed. This allows any user with the 'edit_team' permission to grant customer access to any team, not just the ones they are authorized to manage. The patch corrects this by using `#[IsGranted('edit', 'team')]`, which properly invokes the `TeamVoter` to perform ownership checks.

App\API\TeamController::deleteCustomerAction

src/API/TeamController.php

The function was protected by `#[IsGranted('edit_team')]`. This attribute only checks for the role-level permission 'edit_team' and does not pass the 'team' object to the voter. As a result, the `TeamVoter` abstains, and no object-level authorization (ownership check) is performed. This allows any user with the 'edit_team' permission to revoke customer access from any team, not just the ones they are authorized to manage. The patch corrects this by using `#[IsGranted('edit', 'team')]`, which properly invokes the `TeamVoter` to perform ownership checks.

App\API\TeamController::postProjectAction

src/API/TeamController.php

The function was protected by `#[IsGranted('edit_team')]`. This attribute only checks for the role-level permission 'edit_team' and does not pass the 'team' object to the voter. As a result, the `TeamVoter` abstains, and no object-level authorization (ownership check) is performed. This allows any user with the 'edit_team' permission to grant project access to any team, not just the ones they are authorized to manage. The patch corrects this by using `#[IsGranted('edit', 'team')]`, which properly invokes the `TeamVoter` to perform ownership checks.

App\API\TeamController::deleteProjectAction

src/API/TeamController.php

The function was protected by `#[IsGranted('edit_team')]`. This attribute only checks for the role-level permission 'edit_team' and does not pass the 'team' object to the voter. As a result, the `TeamVoter` abstains, and no object-level authorization (ownership check) is performed. This allows any user with the 'edit_team' permission to revoke project access from any team, not just the ones they are authorized to manage. The patch corrects this by using `#[IsGranted('edit', 'team')]`, which properly invokes the `TeamVoter` to perform ownership checks.

App\API\TeamController::postActivityAction

src/API/TeamController.php

The function was protected by `#[IsGranted('edit_team')]`. This attribute only checks for the role-level permission 'edit_team' and does not pass the 'team' object to the voter. As a result, the `TeamVoter` abstains, and no object-level authorization (ownership check) is performed. This allows any user with the 'edit_team' permission to grant activity access to any team, not just the ones they are authorized to manage. The patch corrects this by using `#[IsGranted('edit', 'team')]`, which properly invokes the `TeamVoter` to perform ownership checks.

App\API\TeamController::deleteActivityAction

src/API/TeamController.php

The function was protected by `#[IsGranted('edit_team')]`. This attribute only checks for the role-level permission 'edit_team' and does not pass the 'team' object to the voter. As a result, the `TeamVoter` abstains, and no object-level authorization (ownership check) is performed. This allows any user with the 'edit_team' permission to revoke activity access from any team, not just the ones they are authorized to manage. The patch corrects this by using `#[IsGranted('edit', 'team')]`, which properly invokes the `TeamVoter` to perform ownership checks.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.