Description
Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue.
Published: 2026-01-18
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Exfiltration via SSTI
Action: Update Immediately
AI Analysis

Impact

Kimai's export feature previously used a permissive Twig sandbox enabling arbitrary method calls on template context objects. An authenticated user with export rights can supply a malicious template that reads environment variables, user password hashes, session tokens, and CSRF tokens, compromising confidentiality.

Affected Systems

All Kimai installations running a version earlier than 2.46.0 are affected. The vulnerable product is Kimai, the open‑source time‑tracking application.

Risk and Exploitability

The vulnerability has a CVSS score of 6.8 (moderate) and a low EPSS probability (<1%), and it is not listed in the CISA KEV catalog. Exploitation requires a legitimate user account with export permissions; a suitable attacker could then deploy a crafted template and retrieve sensitive data. The attack is limited to the affected user's authorization level, but the data exposed could allow further lateral movement if passwords or session tokens are harvested.

Generated by OpenCVE AI on April 18, 2026 at 05:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kimai to version 2.46.0 or later.
  • Restrict export permissions to trusted administrators.
  • Review and enforce proper sandbox policies for template rendering.

Generated by OpenCVE AI on April 18, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jg2j-2w24-54cg Kimai has an Authenticated Server-Side Template Injection (SSTI)
History

Wed, 18 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:kimai:kimai:*:*:*:*:*:*:*:*

Tue, 20 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Kimai
Kimai kimai
Vendors & Products Kimai
Kimai kimai

Sun, 18 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue.
Title Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)
Weaknesses CWE-1336
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Kimai Kimai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T20:07:08.477Z

Reserved: 2026-01-14T16:08:37.482Z

Link: CVE-2026-23626

cve-icon Vulnrichment

Updated: 2026-01-20T19:37:31.497Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-18T23:15:48.393

Modified: 2026-02-18T16:30:19.177

Link: CVE-2026-23626

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:30:25Z

Weaknesses