Kimai - Open Source time-tracker Kimai
Login Start for free

Open-redirect via unvalidated RelayState in SAML ACS handler

  1. Home
  2. Security
  3. Kimai Advisory GHSA-3jp4-mhh4-gcgr

Affected versions

  • Affected versions: <= 2.52.0
  • Patched version: 2.53.0
  • Advisory published: 11 Apr 2026

Severity

Severity: Low

We have not requested an official CVE ID for this security advisory.

Vulnerability

Kimai’s SAML authentication flow accepted the RelayState parameter as a redirect target without sufficiently validating the destination. In affected versions, a successful SAML login could therefore redirect users to an attacker-controlled URL.

The issue requires SAML to be enabled and depends on a malicious or manipulated RelayState value being supplied during the authentication flow.

Info

This issue affected the SAML login flow after successful authentication.

  • Kimai accepted the RelayState parameter as a redirect destination without sufficiently validating the target URL
  • After a successful SAML login, a user could be redirected to an attacker-controlled website
  • The issue only affected installations that had SAML authentication enabled
  • Exploitation required control over the SAML flow or an IdP-initiated login scenario with a malicious RelayState value

Solution

Users should update to 2.53.0 or newer.

Credits

  • Reported by: morimori-dev
  • Patched by: kevinpapst

First reported in GitHub advisory: GHSA-3jp4-mhh4-gcgr

Top