Description
Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue() joins tag names with implode() and returns the result unchanged. OpenSpout promotes any =-prefixed string to a FormulaCell, writing <f>SUM(54+51)</f> into the XLSX archive. Excel evaluates the formula when the file is opened. This issue has been patched in version 2.54.0.
Published: 2026-05-08
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Kimai allows users with ROLE_USER to create tags whose name may include a formula string. When an administrator exports timesheets as an XLSX file, the application writes these tag names directly into the spreadsheet without sanitization, causing OpenSpout to interpret the string as a formula cell. When the file is opened in Excel, the formula is evaluated, potentially revealing internal data or performing unintended calculations. This flaw is indexed as CWE‑1236 and enables formula injection that can lead to information disclosure or execution of arbitrary spreadsheet functions.

Affected Systems

All installations of Kimai from version 2.27.0 up to, but not including, 2.54.0 are vulnerable. The affected product is the Kimai time‑tracking application supplied by the vendor kimai:kimai. The specific versions impacted are 2.27.0 through 2.53.9; the issue was fixed in release 2.54.0.

Risk and Exploitability

The vulnerability scores a CVSS of 5.4, indicating a moderate severity. No EPSS data is publicly available and the flaw is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. The attack requires a user to create a malicious tag and an administrator to export timesheets; once the XLSX file is opened by a recipient, Excel will evaluate the injected formula. Because the exploit relies on exporting data and user interaction with the file, the risk is contingent on the environment but still warrants prompt remediation.

Generated by OpenCVE AI on May 8, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 2.54.0 Kimai release or a later version to address the flaw
  • Restrict tag creation privileges to trusted users or enforce validation that tag names do not begin with ‘=’, preventing injection
  • Until the update can be applied, disable or limit XLSX exports of timesheets or cleanse exported spreadsheets of any formula cells

Generated by OpenCVE AI on May 8, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3xc2-h5r3-wv3r Kimai vulnerable to formula Injection via tag names in XLSX export
History

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Kimai
Kimai kimai
Vendors & Products Kimai
Kimai kimai

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue() joins tag names with implode() and returns the result unchanged. OpenSpout promotes any =-prefixed string to a FormulaCell, writing <f>SUM(54+51)</f> into the XLSX archive. Excel evaluates the formula when the file is opened. This issue has been patched in version 2.54.0.
Title Kimai: Formula Injection via tag names in XLSX export
Weaknesses CWE-1236
References
Metrics cvssV4_0

{'score': 5.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Kimai Kimai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T03:28:52.226Z

Reserved: 2026-04-26T11:53:27.706Z

Link: CVE-2026-42267

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:20.533

Modified: 2026-05-08T04:16:20.533

Link: CVE-2026-42267

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses