Security advisories

This document describes how reported security vulnerabilities are handled for Kimai.

We take every security report seriously and act upon it as soon as possible. If you’re a security researcher, please read our Guidelines about testing and reporting new vulnerabilities before submitting a report.

Upon receiving a new security report, our process looks like this:

We review the report and, if needed, contact the reporter with follow-up questions
We reproduce and verify the reported issue
We write regression tests to prevent the issue from reoccurring
We fix the vulnerability and create a new Kimai release (noting that security fixes are included)
We update the Kimai-Cloud environment
We write an advisory for our website that explains the issue in plain language (see the list of published advisories below)
We request a CVE ID, if the issue qualifies for one
At least two weeks after the patched version has been released, we publish the advisory on our website and on GitHub

Severity levels

We rate security issues using four severity levels: Low, Medium, High, and Critical.

Our GitHub advisories may include CVSS scores for reference, but we do not rely on CVSS as the primary basis for grading vulnerabilities. In our view, CVSS does not adequately capture all the factors and context involved in assessing real-world impact.

A rough guideline for how we classify security issues:

Low: read access to data that should not be accessible
Medium: write access to data that should not be accessible (e.g. XSS, CSRF)
High: permission escalation to admin level, escaping sandboxes, reading filesystem contents
Critical: system manipulation, passing authentication flows

We take additional details into account beyond this list. Each advisory is rated as a whole, and we particularly consider the permission level required for exploitation.

For example: any issue that requires direct filesystem access or a System-Admin account to exploit is unlikely to be rated higher than Medium, as these preconditions significantly limit the realistic attack surface:

The System-Admin role is the Kimai equivalent of a root account and can easily delete all data in the system.
Users who already have filesystem access to the server have a variety of options to manipulate the system and do not need Kimai for that.

Published vulnerabilities

You can subscribe to all advisories via Atom RSS Feed.

2026-05-22: Invoice PDF export could trigger requests to internal network services
2026-05-22: CSRF attack allowed tricking logged-in users into creating teams and changing access
2026-05-22: Password reset links stayed valid after the password was changed
2026-05-19: Users could create activities and projects outside their access scope
2026-05-18: Signed-in users could tamper with other users’ favorite timesheet bookmarks
2026-05-05: Arbitrary file read in invoice PDF renderer (admin)
2026-04-28: Timesheets could be assigned to off-limits projects through the API
2026-04-28: Teamlead users could read other users’ timesheets through the API
2026-04-27: Twig function config() leaks secrets via invoice/export templates
2026-04-27: Missing Voter Check Allows Cross-Team Timesheet Manipulation
2026-04-26: Formula Injection via tag names in XLSX export
2026-04-21: Team API Missing Object-Level Authorization
2026-04-16: Username enumeration via timing, using deprecated API authentication
2026-04-14: User Preferences API allows standard users to modify: hourly_rate, internal_rate
2026-04-14: ⚠️ Stored XSS via incomplete HTML attribute escaping in Team-Member widget
2026-04-11: API password hash leakage via invoice Twig template
2026-04-11: Open-redirect via unvalidated RelayState in SAML ACS handler
2026-03-04: API invoice endpoint missing customer-level access control (IDOR)
2026-01-18: Authenticated server-side template injection (SSTI)
2024-09-17: XXE leading to local file read
2024-03-27: API returns timesheet entries a user shouldn’t be authorized to view
2023-10-27: ⚠️ Authenticated SSTI to RCE by uploading a malicious twig file