CVE-2026-23626

Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)

CVSS 6.8 MEDIUMEPSS 0.4%CWE-1336

In short

Kimai's export feature allows authenticated users to inject malicious code through templates, potentially exposing sensitive data like passwords and environment variables. This happens because the security restrictions on template processing are too loose.

Technical detail

Kimai versions prior to 2.46.0 use Twig templates with DefaultPolicy sandbox that permits unrestricted method invocation on template context objects. Authenticated users with export permissions can craft malicious Twig templates to access and exfiltrate environment variables, password hashes, session tokens, and CSRF tokens via Server-Side Template Injection (SSTI).

Summary generated and translated by AI from the official description.

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Affected products

kimai · kimai

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f https://github.com/kimai/kimai/pull/5757 https://github.com/kimai/kimai/releases/tag/2.46.0 https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg