Specially Crafted Search Terms Could Disrupt Kimai's Search Feature
Affected versions
- Kimai versions <= 2.59.0 are affected by this security issue
- The issue has been fixed in Kimai 2.60.0
- Severity: Low
- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-63008 to this issue
Description
Kimai’s search feature did not properly validate the field names used in advanced search terms. A signed-in user could enter a specially formatted search term that caused errors in the search function, and on installations running in a development or debug configuration, those errors could expose internal technical details.
- Any authenticated user could trigger this issue — no special role or permission was required.
- The issue was triggered by search terms that target a specific field (written as
fieldname:value) when the field name portion contained unusual characters. - Triggering it repeatedly could cause errors across search-related pages and API endpoints, disrupting the search feature for other users.
- On installations running in development or debug mode, the resulting error messages could reveal internal details such as database structure and internal class names, rather than actual timesheet or user data.
- This affects all Kimai installations, both OnPremise and Cloud.
- There is no evidence this issue allowed reading, changing, or deleting data — the impact is limited to service disruption and, in non-production configurations, exposure of internal technical details.
Solution
The search feature no longer builds internal database identifiers from user-supplied search terms. Field names are now generated internally, so search input can no longer influence the underlying query structure.
Users should update to 2.60.0 or newer.
Credits
- Reported by: tikket1
- Patched by: kevinpapst
First reported in GitHub advisory: GHSA-9cxw-hp3c-637x
Kimai