CVE-2026-40486 | Kimai up to 2.52.x Preferences API Endpoint preferences isEnabled dynamically-determined object attributes (GHSA-qh43-xrjm-4ggp)

A vulnerability has been found in Kimai up to 2.52.x and classified as problematic. This affects the function isEnabled of the file /api/users/{id}/preferences of the component Preferences API Endpoint. The manipulation leads to dynamically-determined object attributes.

This vulnerability is documented as CVE-2026-40486. The attack can be initiated remotely. There is not any exploit available.

The affected component should be upgraded.VulDB Recent EntriesRead More