Summary
GET /api/timesheets?user=<id> (and users[]=<id>) returns the targeted user's timesheet records to any caller that has the view_other_timesheet permission, without verifying that the caller is teamlead of any team containing the target user. The per-record endpoint GET /api/timesheets/{id} correctly enforces this check via TimesheetVoter/RolePermissionManager::checkTeamAccessTimesheet → checkTeamLeadAccess, but the list endpoint only filters projects/customers by team membership and never validates t.user. A ROLE_TEAMLEAD user can therefore enumerate any user's records — including the rate field — as long as those records are on a project with no team scoping (Kimai's default) or on any project that shares any team (membership, not lead) with the requester.
Details
Root cause: authorization mismatch between the per-record voter and the list endpoint.
Per-record path (correct)
src/Voter/TimesheetVoter.php:138:
if (!$this->permissionManager->checkTeamAccessTimesheet($subject, $user)) {
return false;
}
return $this->permissionManager->hasRolePermission($user, $permission . '_other_timesheet');
checkTeamLeadAccess (RolePermissionManager.php:143-160) requires isTeamleadOf (not just member) one of the target user's teams. The unit test testTeamleadDeniedWhenOnlyPlainMemberOfOwnerTeam (tests/Voter/TimesheetVoterTest.php:253-269) codifies this:
"a TEAMLEAD role with view_other_timesheet must not access another user's timesheet by being a plain team member — they must be the team's teamlead."
List path (vulnerable)
src/API/TimesheetController.php:97-119:
public function cgetAction(ParamFetcherInterface $paramFetcher, ..., UserRepository $userRepository): Response
{
$query = new TimesheetQuery(false);
$this->prepareQuery($query, $paramFetcher);
$seeAll = false;
if ($this->isGranted('view_other_timesheet')) {
/** @var array<int> $users */
$users = $paramFetcher->get('users');
$userId = $paramFetcher->get('user');
if ('all' === $userId) {
$seeAll = true;
} elseif (\is_string($userId) && $userId !== '') {
$users[] = (int) $userId;
}
if (!$seeAll) {
foreach ($userRepository->findByIds($users) as $user) {
$query->addUser($user); // <-- no teamlead-of-target check
}
}
}
...
config/packages/kimai.yaml:96,115 grants TIMESHEET_OTHER (which contains view_other_timesheet) to ROLE_TEAMLEAD, so the gate at line 103 passes for any teamlead. The user= / users[]= IDs are pushed straight into the query.
Net effect
For any victim bob who:
- has at least one team that the requester
alice is not teamlead of (so the voter denies per-record access), AND
- has timesheets either on a project with no team (Kimai's default), or on a project that shares any team with
alice (membership, not lead)
alice is denied via GET /api/timesheets/{id} but receives bob's records via GET /api/timesheets?user=<bob_id>.
Disclosed fields in the collection response include description, begin, end, duration, billable, exported, tags, rate, internalRate, plus project/activity/user IDs (Default/Collection serializer groups, Timesheet.php:164-173). rate is financial data that the per-record voter is supposed to gate via the separate view_rate_other_timesheet permission.
Why other proposed mitigations don't apply
- The
view_other_timesheet IsGranted on the route is the only authorization layer in the list path; ROLE_TEAMLEAD has it globally.
prepareQuery only sets currentUser, not authorization (BaseApiController.php:68-71).
- The serializer does not filter
rate per caller — it is a static Default-group property.
- Recent commit 20c7b03 "Re-usable ACL checks on teams" hardened the voter side but left the list endpoint unchanged.
A PoC was provided, but removed for security reasons.
Impact
- Authorization bypass: a
ROLE_TEAMLEAD (a non-admin role typically granted to multiple users in a Kimai instance) can read any other user's timesheet records
- Financial data disclosure: the
rate and internalRate fields are returned in the collection serializer group, leaking what gets billed/costed against any user's records.
- PII / activity disclosure: per-entry
description, begin, end, duration, billable, exported, project/activity/customer IDs, and tags are leaked, allowing reconstruction of any user's activity timeline.
Solution
The list of requested user TimesheetController::cgetAction() is now guarded with the access_user permission.
The access_user permission verifies that the requesting user is allowed to see each of the requested user.
If any of the requested users may not be seen, the entire call will fail.
Find out more at https://www.kimai.org/en/security/ghsa-4m8q-55qv-9pwp
References
Summary
GET /api/timesheets?user=<id>(andusers[]=<id>) returns the targeted user's timesheet records to any caller that has theview_other_timesheetpermission, without verifying that the caller is teamlead of any team containing the target user. The per-record endpointGET /api/timesheets/{id}correctly enforces this check viaTimesheetVoter/RolePermissionManager::checkTeamAccessTimesheet→checkTeamLeadAccess, but the list endpoint only filters projects/customers by team membership and never validatest.user. AROLE_TEAMLEADuser can therefore enumerate any user's records — including theratefield — as long as those records are on a project with no team scoping (Kimai's default) or on any project that shares any team (membership, not lead) with the requester.Details
Root cause: authorization mismatch between the per-record voter and the list endpoint.
Per-record path (correct)
src/Voter/TimesheetVoter.php:138:checkTeamLeadAccess(RolePermissionManager.php:143-160) requiresisTeamleadOf(not just member) one of the target user's teams. The unit testtestTeamleadDeniedWhenOnlyPlainMemberOfOwnerTeam(tests/Voter/TimesheetVoterTest.php:253-269) codifies this:List path (vulnerable)
src/API/TimesheetController.php:97-119:config/packages/kimai.yaml:96,115grantsTIMESHEET_OTHER(which containsview_other_timesheet) toROLE_TEAMLEAD, so the gate at line 103 passes for any teamlead. Theuser=/users[]=IDs are pushed straight into the query.Net effect
For any victim
bobwho:aliceis not teamlead of (so the voter denies per-record access), ANDalice(membership, not lead)aliceis denied viaGET /api/timesheets/{id}but receivesbob's records viaGET /api/timesheets?user=<bob_id>.Disclosed fields in the collection response include
description,begin,end,duration,billable,exported,tags,rate,internalRate, plus project/activity/user IDs (Default/Collection serializer groups, Timesheet.php:164-173).rateis financial data that the per-record voter is supposed to gate via the separateview_rate_other_timesheetpermission.Why other proposed mitigations don't apply
view_other_timesheetIsGrantedon the route is the only authorization layer in the list path; ROLE_TEAMLEAD has it globally.prepareQueryonly setscurrentUser, not authorization (BaseApiController.php:68-71).rateper caller — it is a staticDefault-group property.A PoC was provided, but removed for security reasons.
Impact
ROLE_TEAMLEAD(a non-admin role typically granted to multiple users in a Kimai instance) can read any other user's timesheet recordsrateandinternalRatefields are returned in the collection serializer group, leaking what gets billed/costed against any user's records.description,begin,end,duration,billable,exported, project/activity/customer IDs, and tags are leaked, allowing reconstruction of any user's activity timeline.Solution
The list of requested user
TimesheetController::cgetAction()is now guarded with theaccess_userpermission.The
access_userpermission verifies that the requesting user is allowed to see each of the requested user.If any of the requested users may not be seen, the entire call will fail.
Find out more at https://www.kimai.org/en/security/ghsa-4m8q-55qv-9pwp
References