CVE-2026-40486

MEDIUM
Published Apr 17, 2026 Modified Apr 27, 2026 CWE-915

Description

Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without checking the isEnabled() flag on preference objects. Although the hourly_rate and internal_rate fields are correctly marked as disabled for users lacking the hourly-rate role permission, the API ignores this restriction and saves the values directly. Any authenticated user can modify their own billing rates through this endpoint, resulting in unauthorized financial tampering affecting invoices and timesheet calculations. This issue has been fixed in version 2.53.0.

CVSS v3.1 Score

4.3
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS — Exploit Prediction

0.0002
Probability of exploitation
0.05%
Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-915 CWE-915

Affected Products

Vendor Product
kimai kimai

References

Frequently Asked Questions

What is CVE-2026-40486? +
Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without checking the isEnabled() flag on preference objects. Although the hourly_rate and internal_rate fields are correctly marked as disabled for users lacking the hourly-rate role permission, the API ignores this restriction and saves the values directly. Any authenticated user can modify their own billing rates through this endpoint, resulting in unauthorized financial tampering affecting invoices and timesheet calculations. This issue has been fixed in version 2.53.0. It has a CVSS v3.1 base score of 4.3 (MEDIUM).
How severe is CVE-2026-40486? +
CVE-2026-40486 has a CVSS v3.1 score of 4.3 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance. The EPSS score is 0.0002, placing it in the 0th percentile for exploitation probability.
What products are affected by CVE-2026-40486? +
CVE-2026-40486 affects products from kimai, specifically: kimai. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2026-40486? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-58367

DeepDiff is a project focused on Deep Difference and search of any Python data. Versions 5.0.0 through 8.6.0 are vulnerable …
CVE-2025-2304

A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the …
CVE-2026-46721

The create and edit flows do not restrict which user properties may be submitted and do not enforce access control …
CVE-2025-9315

An unauthenticated device registration vulnerability, caused by Improperly Controlled Modification of Dynamically-Determined Object Attributes, has been identified in the MXsecurity …
CVE-2025-24370

Django-Unicorn adds modern reactive component functionality to Django templates. Affected versions of Django-Unicorn are vulnerable to python class pollution vulnerability. …
CVE-2026-33453 10.0

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2026-40486 — free, no signup required.

Start Free Scan