1. Home
2. Security
3. Kimai Advisory CVE-2026-23626

Affected versions

• Affected versions: <=2.45.0
• Patched version: 2.46.0
• Advisory published: 18 Jan 2026

Severity

Severity: Medium

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-23626 to this issue.

Vulnerability

Kimai contained a server-side template injection vulnerability in its export template handling. In affected versions, an authenticated user with sufficient permissions and access to a malicious export template could use the permissive Twig sandbox to read sensitive application data.

The advisory showed that environment values, password hashes, session data, and other secrets could be extracted from the rendering context.

Info

This issue was caused by an overly permissive Twig security policy for export templates.

• The export template sandbox allowed method and property access that should have been blocked
• A malicious template could read sensitive values from the request, session, and user objects
• Exposed data could include secrets such as APP_SECRET, database configuration, password hashes, and session-related information
• Export templates can only be uploaded via direct filesystem access and is usually only possible for System-Admins
• Kimai Cloud is not affected because Twig templates have to pass a manual review process

Solution

Users should update to 2.46.0 or newer.

Credits

• Reported by: Mahammad Huseynkhanli
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-jg2j-2w24-54cg