Arbitrary file read in invoice PDF renderer (admin)

Affected versions

Affected versions: >= 2.32.0, <= 2.55
Patched version: 2.56
Advisory published: 05 May 2026

Severity

Severity: Medium

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-44298 to this issue.

Vulnerability

Kimai allowed a System-Admin (ROLE_SUPER_ADMIN) with the upload_invoice_template permission to abuse PDF renderer options from within a sandboxed invoice Twig template. In affected versions, a crafted template could pass a malicious associated_files entry to mPDF and cause the renderer to read a local file from the server and embed its contents into the generated PDF.

Info

This issue affected uploaded invoice templates rendered as PDF documents.

The Twig sandbox exposed pdfContext.setOption() during invoice rendering
The associated_files option used for PDF/A e-invoice support was forwarded to mPDF without removing attacker-controlled path values
mPDF’s SetAssociatedFiles() could then read the referenced local file and embed its contents into the returned PDF
The attacker could only exfiltrate files that were readable by the PHP worker and accepted by mPDF as associated files
Exploitation required the upload_invoice_template permission, which is typically reserved for ROLE_SUPER_ADMIN
Kimai Cloud is not affected because invoice templates go through a manual review process

The vulnerable option was intended to be set from PHP code or plugins, not directly from a Twig template. The fix has two parts: PdfContext now uses a strict allowlist that excludes associated_files, and the PDF converter strips any path entry before forwarding associated files to mPDF.

Solution

Users should update to 2.56 or newer.

If you cannot update immediately, do not grant upload_invoice_template to untrusted users.

Credits

Reported by: melnicek
Patched by: kevinpapst

First reported in GitHub advisory: GHSA-h5fh-7hwr-97mw