Authenticated server-side template injection (SSTI)

Affected versions

Kimai versions <=2.45.0 are affected by this security issue
The issue has been fixed in Kimai 2.46.0
Severity: Medium
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-23626 to this issue

Description

Kimai contained a server-side template injection vulnerability in its export template handling. In affected versions, an authenticated user with sufficient permissions and access to a malicious export template could use the permissive Twig sandbox to read sensitive application data.

The advisory showed that environment values, password hashes, session data, and other secrets could be extracted from the rendering context.

This issue was caused by an overly permissive Twig security policy for export templates.

The export template sandbox allowed method and property access that should have been blocked
A malicious template could read sensitive values from the request, session, and user objects
Exposed data could include secrets such as APP_SECRET, database configuration, password hashes, and session-related information
Export templates can only be uploaded via direct filesystem access and is usually only possible for System-Admins
Kimai Cloud is not affected because Twig templates have to pass a manual review process

Solution

The existing Twig sandbox security-policy was enhanced to guard against access of sensitive user, session and environment data.

Users should update to 2.46.0 or newer.

Credits

Reported by: Mahammad Huseynkhanli
Patched by: kevinpapst

First reported in GitHub advisory: GHSA-jg2j-2w24-54cg