Kimai CVE-2026-23626 Authenticated Server-Side Template Injection

Affected versions

All Kimai versions prior to 2.46.0 are affected by this security issue.

The issue has been fixed in Kimai 2.46.0.

Kimai Cloud customers were not affected, as Twig templates cannot be uploaded by users and are only deployed via support after a manual security review.

Description

Developers with SSH access to the server and permission to upload custom export templates could deploy a malicious Twig export template. This issue only affected self-hosted installations where untrusted parties had server access and were able to upload export templates.

Such a template could abuse functionality provided by the Twig template engine to access sensitive runtime information, including password hashes and environment variables.

Resolution

Kimai has introduced additional security restrictions for the Twig environment used during exports and further hardened invoice rendering.

The updated configuration applies a hardened DefaultPolicy, which prevents access to sensitive functions, objects, and environment data that are not required for template rendering.

These changes ensure that export & invoice templates are strictly limited to their intended purpose.

Credits

We would like to thank Mahammad Huseynkhanli for responsibly reporting the issue.