Specially Crafted Search Terms Could Disrupt Kimai's Search Feature

Affected versions

  • Kimai versions <= 2.59.0 are affected by this security issue
  • The issue has been fixed in Kimai 2.60.0
  • Severity: Low
  • The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-63008 to this issue

Description

Kimai’s search feature did not properly validate the field names used in advanced search terms. A signed-in user could enter a specially formatted search term that caused errors in the search function, and on installations running in a development or debug configuration, those errors could expose internal technical details.

  • Any authenticated user could trigger this issue — no special role or permission was required.
  • The issue was triggered by search terms that target a specific field (written as fieldname:value) when the field name portion contained unusual characters.
  • Triggering it repeatedly could cause errors across search-related pages and API endpoints, disrupting the search feature for other users.
  • On installations running in development or debug mode, the resulting error messages could reveal internal details such as database structure and internal class names, rather than actual timesheet or user data.
  • This affects all Kimai installations, both OnPremise and Cloud.
  • There is no evidence this issue allowed reading, changing, or deleting data — the impact is limited to service disruption and, in non-production configurations, exposure of internal technical details.

Solution

The search feature no longer builds internal database identifiers from user-supplied search terms. Field names are now generated internally, so search input can no longer influence the underlying query structure.

Users should update to 2.60.0 or newer.

Credits

  • Reported by: tikket1
  • Patched by: kevinpapst

First reported in GitHub advisory: GHSA-9cxw-hp3c-637x

Top