1. Home
2. Security
3. Kimai Advisory CVE-2026-44298

Affected versions

• Kimai versions >= 2.32.0, <= 2.55 are affected by this security issue
• The issue has been fixed in Kimai 2.56
• Severity: Medium
• The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-44298 to this issue

Description

Kimai allowed a System-Admin (ROLE_SUPER_ADMIN) with the upload_invoice_template permission to abuse PDF renderer options from within a sandboxed invoice Twig template. In affected versions, a crafted template could pass a malicious associated_files entry to mPDF and cause the renderer to read a local file from the server and embed its contents into the generated PDF.

This issue affected uploaded invoice templates rendered as PDF documents.

• The Twig sandbox exposed pdfContext.setOption() during invoice rendering
• The associated_files option used for PDF/A e-invoice support was forwarded to mPDF without removing attacker-controlled path values
• mPDF’s SetAssociatedFiles() could then read the referenced local file and embed its contents into the returned PDF
• The attacker could only exfiltrate files that were readable by the PHP worker and accepted by mPDF as associated files
• Exploitation required the upload_invoice_template permission, which is typically reserved for ROLE_SUPER_ADMIN
• Kimai Cloud is not affected because invoice templates go through a manual review process

The vulnerable option was intended to be set from PHP code or plugins, not directly from a Twig template.

Solution

The fix has two parts:

• PdfContext now uses a strict allowlist that excludes associated_files
• the PDF converter strips any path entry before forwarding associated files to mPDF.

If you cannot update immediately, do not grant upload_invoice_template to untrusted users.

Users should update to 2.56 or newer.

Credits

• Reported by: melnicek
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-h5fh-7hwr-97mw