1. Home
2. Security
3. Kimai Advisory CVE-2026-23626

Affected versions

• Kimai versions <=2.45.0 are affected by this security issue
• The issue has been fixed in Kimai 2.46.0
• Severity: Medium
• The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-23626 to this issue

Description

Kimai contained a server-side template injection vulnerability in its export template handling. In affected versions, an authenticated user with sufficient permissions and access to a malicious export template could use the permissive Twig sandbox to read sensitive application data.

The advisory showed that environment values, password hashes, session data, and other secrets could be extracted from the rendering context.

This issue was caused by an overly permissive Twig security policy for export templates.

• The export template sandbox allowed method and property access that should have been blocked
• A malicious template could read sensitive values from the request, session, and user objects
• Exposed data could include secrets such as APP_SECRET, database configuration, password hashes, and session-related information
• Export templates can only be uploaded via direct filesystem access and is usually only possible for System-Admins
• Kimai Cloud is not affected because Twig templates have to pass a manual review process

Solution

The existing Twig sandbox security-policy was enhanced to guard against access of sensitive user, session and environment data.

Users should update to 2.46.0 or newer.

Credits

• Reported by: Mahammad Huseynkhanli
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-jg2j-2w24-54cg