Arbitrary file read in invoice PDF renderer (admin)

Affected versions

Kimai versions >= 2.32.0, <= 2.55 are affected by this security issue
The issue has been fixed in Kimai 2.56
Severity: Medium
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-44298 to this issue

Description

Kimai allowed a System-Admin (ROLE_SUPER_ADMIN) with the upload_invoice_template permission to abuse PDF renderer options from within a sandboxed invoice Twig template. In affected versions, a crafted template could pass a malicious associated_files entry to mPDF and cause the renderer to read a local file from the server and embed its contents into the generated PDF.

This issue affected uploaded invoice templates rendered as PDF documents.

The Twig sandbox exposed pdfContext.setOption() during invoice rendering
The associated_files option used for PDF/A e-invoice support was forwarded to mPDF without removing attacker-controlled path values
mPDF’s SetAssociatedFiles() could then read the referenced local file and embed its contents into the returned PDF
The attacker could only exfiltrate files that were readable by the PHP worker and accepted by mPDF as associated files
Exploitation required the upload_invoice_template permission, which is typically reserved for ROLE_SUPER_ADMIN
Kimai Cloud is not affected because invoice templates go through a manual review process

The vulnerable option was intended to be set from PHP code or plugins, not directly from a Twig template.

Solution

The fix has two parts:

PdfContext now uses a strict allowlist that excludes associated_files
the PDF converter strips any path entry before forwarding associated files to mPDF.

If you cannot update immediately, do not grant upload_invoice_template to untrusted users.

Users should update to 2.56 or newer.

Credits

Reported by: melnicek
Patched by: kevinpapst

First reported in GitHub advisory: GHSA-h5fh-7hwr-97mw