kimai

v2.57.0 Security

This release includes 5 security fixes for security teams reviewing exposed deployments.

Published 13d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 5 known CVEs

Topics

doctrine invoice invoicing kimai multilanguage php

+9 more

self-hosted symfony tabler time-tracker time-tracking timetracker timetracking timetrackingapp twig

Affected surfaces

auth rbac deps

ReleasePort's take

Moderate signal

editorial:auto 13d

Version 2.57.0 of Kimai adds several new API endpoints for comment management and a configuration option to set the theme for unauthenticated requests such as the login page.

Why it matters: Developers can now list, create, delete, or pin comments on projects and customers via dedicated API calls; SREs may configure custom branding for login pages. No mandatory migration steps are required.

Summary

AI summary

Multiple security hardenings prevent unauthorized timesheet queries, favorite changes, system account elevation, and cross‑entity rate manipulation.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	High	Prevent regular users from turning their account into a `systemAccount` Prevent regular users from turning their account into a `systemAccount` Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Security	Medium	Secure timesheet API patch for disabled projects Secure timesheet API patch for disabled projects Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Prevent querying arbitrary user timesheets Prevent querying arbitrary user timesheets Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Prevent changing favorites of arbitrary users Prevent changing favorites of arbitrary users Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Prevent cross entity rate manipulation Prevent cross entity rate manipulation Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Prevent creating child objects of parents without access Prevent creating child objects of parents without access Source: llm_adapter@2026-05-21 Confidence: low	—
Feature
Feature	Medium	New API endpoints for comment (list, create, delete, pin) for projects and customers New API endpoints for comment (list, create, delete, pin) for projects and customers Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	New configuration to define the theme for non-authenticated requests like login page New configuration to define the theme for non-authenticated requests like login page Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Translations update from Hosted Weblate Translations update from Hosted Weblate Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Low	Compatible with PHP 8.2 to 8.5 Compatible with PHP 8.2 to 8.5 Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Feature	Low	Export naming: only name the default renderer "default" Export naming: only name the default renderer "default" Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Dependency	Medium	Upgrade all dependencies Upgrade all dependencies Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix
Bugfix	Medium	Fix: new weekly-hours could not be added in weeks with exported timesheets Fix: new weekly-hours could not be added in weeks with exported timesheets Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fix: some dashboard widget links were invisible in dark mode Fix: some dashboard widget links were invisible in dark mode Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fix checking for correct formatter in durationDecimal Fix checking for correct formatter in durationDecimal Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Compatible with PHP 8.2 to 8.5

New API endpoints for comment (list, create, delete, pin) for projects and customers
New configuration to define the theme for non-authenticated requests like login page (#5929)
Export naming: only name the default renderer "default" (#5929)
Fix: new weekly-hours could not be added in weeks with exported timesheets (#5642)
Fix: some dashboard widget links were invisible in dark mode (#5940)
Prevent querying arbitrary user timesheets (#5929)
Prevent changing favorites of arbitrary users (#5929)
Prevent regular users from turning their account into a systemAccount (#5929)
Prevent cross entity rate manipulation (#5929)
Secure timesheet API patch for disabled projects (#5929)
Prevent creating child objects of parents without access (#5929)
Upgrade all dependencies (#5929)
Fix checking for correct formatter in durationDecimal (#5943)
Translations update from Hosted Weblate (#5928)

This release contains multiple security fixes both fro Kimai and its dependencies.
You should upgrade as soon as possible.

Involved in this release: @cheriimoya and @kevinpapst and @offset and @Mitchell45 and Abdul-Ramon

Breaking Changes

Compatible with PHP 8.2 to 8.5 (minimum version bump)
Export naming: only name the default renderer "default"

Security Fixes

Prevent querying arbitrary user timesheets
Prevent changing favorites of arbitrary users
Prevent regular users from turning their account into a `systemAccount`
Prevent cross entity rate manipulation
Secure timesheet API patch for disabled projects

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track kimai

Get notified when new releases ship.

About kimai

Kimai is the #1 open-source time-tracking application. From freelancers to companies and organisations - everyone can manage timesheets, generate reports, create invoices and so much more... Web-based multi-user application, available as On-Premise or SaaS version: https://www.kimai.org

All releases →