GHSA-c6w6-57jj-62vh
Improper Authorization in Kimai Timesheet Restart and Duplicate Allows New Timesheets After Project Access Revocation
Details
### Summary
Kimai 2.56.0 contains an authenticated authorization bypass in the timesheet `restart` and `duplicate` workflows. After a user loses access to a project, the user can still derive a new timesheet from one of their historical entries and create a new record under that now-unauthorized project and activity combination.
This is a permission revocation bypass with persistent write impact. The issue affects both `restart` and `duplicate`, which trust ownership of an old timesheet more than the user's current access to the underlying project, activity, and customer.
### Details
The issue affects the following operations:
- `PATCH /api/timesheets/{id}/restart` - `PATCH /api/timesheets/{id}/duplicate`
The root cause is that authorization gives too much weight to the fact that the original timesheet belongs to the current user. In `src/Voter/TimesheetVoter.php`, the `*_own_timesheet` branch is evaluated before team-based access checks.
The restart/duplicate capability check also verifies only object visibility, not whether the current user still has team-based access to the referenced objects.
In `src/API/TimesheetController.php`, the restart flow copies the historical `project` and `activity` into a new candidate timesheet.
The duplicate flow similarly clones the historical record and saves it.
In `src/Timesheet/TimesheetService.php`, creation of a new running entry still relies on `isGranted('start', $timesheet)`.
For historical entries that belong to the current user, this logic can still succeed through the `*_own_timesheet` branch even after project access has been revoked. As a result, normal creation pages correctly stop offering the revoked project, but `restart` and `duplicate` can still create new records under it.
The same weakness also affects the Web duplicate flow because the UI path ultimately calls the same save logic in `src/Controller/TimesheetAbstractController.php`:
*A PoC was provided, but removed for security reasons.*
### Impact
This vulnerability allows a user to keep writing new time entries into a project after project access has been revoked. That undermines administrative access-control changes and can pollute project time tracking, budget calculations, statistics, reports, and invoicing workflows.
Because both `restart` and `duplicate` can reuse historical project/activity bindings, old timesheet records effectively become reusable capability tokens that survive later access-control changes. This is not a UI artifact or a caching problem: new database rows are persisted after revocation.
# Solution
The metoid `TimesheetVoter::canStart()` now checks team access for project and activity. This verification is used for new timesheets and also for the `duplication` and `restart` workflows.
See [https://www.kimai.org/en/security/ghsa-c6w6-57jj-62vh](https://www.kimai.org/en/security/ghsa-c6w6-57jj-62vh) for more information.
Are you affected?
Enter the version of the package you're using.