CVE-2026-40486 — Kimai is an open-source time tracking application. In

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
National Vulnerability Database vulnerabilitycvemedium-severitycwe-915
CVE-2026-40486 — Kimai is an open-source time tracking application. In

Image via images.unsplash.com

CVE-2026-40486 — Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without checking the isEnabled() flag on preference objects. Although the hourly_rate and intern

What This Means For You

  • If your environment is affected by CWE-915, review your exposure and prioritize patching based on your environment. Monitor vendor advisories for CVE-2026-40486 updates and patches.

Related ATT&CK Techniques

T1078.004 Abuse Elevation Control Mechanism: Sudo and Sudo Caching Privilege Escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching Privilege Escalation T1078 Valid Accounts Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

medium T1078.004 Defense Evasion

CVE-2026-40486 - Kimai User Preference Billing Rate Tampering

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40486 vulnerability CVE-2026-40486
CWE-915 weakness CWE-915

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 18, 2026 at 02:16 UTC

This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.

Believe this infringes your rights? Submit a takedown request.

Related Posts

Critical NovumOS Flaw: Kernel Takeover via Memory Mapping

CVE-2026-40572 — NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring...

vulnerabilityCVEcriticalhigh-severityprivilege-escalationcwe-269
/SCW Vulnerability Desk /CRITICAL /⚑ 4 IOCs /⚙ 2 Sigma

Movary Flaw Allows Admin Account Creation, High-Severity Risk

CVE-2026-40350 — Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user...

vulnerabilityCVEhigh-severitycwe-863
/SCW Vulnerability Desk /HIGH /⚑ 4 IOCs /⚙ 3 Sigma

Critical Flaw in NovumOS Allows Kernel Privilege Escalation

CVE-2026-40317 — NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an...

vulnerabilityCVEcriticalhigh-severityprivilege-escalationcwe-20cwe-269
/SCW Vulnerability Desk /CRITICAL /⚑ 4 IOCs /⚙ 2 Sigma