Description
Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files', ...) inside the sandboxed Twig render. This is forwarded to mPDF's SetAssociatedFiles(), whose writer calls file_get_contents($entry['path']) during PDF output and embeds the bytes as a FlateDecode stream in the PDF. Any file readable by the PHP worker is returned to the attacker inside the rendered invoice. This issue has been patched in version 2.56.0.
Published: 2026-05-08
Score: 4.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

From version 2.32.0 to just before 2.56.0, Kimai allowed system administrators with the upload_invoice_template permission to upload PDF invoice templates that could invoke the pdfContext sandbox. Through the SetAssociatedFiles call, an attacker could include any file readable by the PHP worker. The resulting PDF delivered the file contents to the admin viewing the invoice, leading to an arbitrary file read that compromises confidentiality. The flaw is a directory traversal/absolute path read weakness (CWE‑22).

Affected Systems

Vendor Kimai, product Kimai, affected versions range from 2.32.0 up to but excluding 2.56.0.

Risk and Exploitability

The CVSS score of 4.1 rates this as a low‑moderate risk. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited widespread exploitation. The attack vector is inferred to be local or internal, requiring an account with System‑Admin privileges and the upload_invoice_template permission. An attacker controlling or compromising such a privileged account could embed arbitrary files into invoice PDFs and retrieve them when viewed by the admin, affecting confidentiality. Because the flaw relies on trusted privileges, the likely likelihood of an attack is low unless privileged credentials are compromised.

Generated by OpenCVE AI on May 8, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kimai to version 2.56.0 or later.
  • If an upgrade is not immediately possible, revoke the upload_invoice_template permission from the System-Admin role or disable the template upload feature.
  • Review existing invoice templates and remove any that were uploaded during the vulnerable period; avoid rendering them until they are verified safe.

Generated by OpenCVE AI on May 8, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files', ...) inside the sandboxed Twig render. This is forwarded to mPDF's SetAssociatedFiles(), whose writer calls file_get_contents($entry['path']) during PDF output and embeds the bytes as a FlateDecode stream in the PDF. Any file readable by the PHP worker is returned to the attacker inside the rendered invoice. This issue has been patched in version 2.56.0.
Title Kimai: Arbitrary file read in invoice PDF renderer (admin)
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T03:32:06.672Z

Reserved: 2026-05-05T17:39:31.113Z

Link: CVE-2026-44298

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:24.230

Modified: 2026-05-08T04:16:24.230

Link: CVE-2026-44298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses