Kimai - Open Source time-tracker Kimai
Start for free

Docker installations using the default secret key could be taken over by attackers

  1. Home
  2. Security
  3. Kimai Advisory CVE-2026-52824

Affected versions

  • Kimai versions <= 2.57.0 are affected by this security issue
  • The issue has been fixed in Kimai 2.58.0
  • Severity: Critical
  • The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-52824 to this issue

Description

The official Kimai Docker image shipped with a fixed, publicly known secret key. Any Kimai site started from that image without setting its own secret used a value anyone could look up, which let an attacker on the internet forge login credentials and sign in as another user, including an administrator.

  • Kimai uses a secret key (Symfony’s kernel.secret, configured through the APP_SECRET setting) to sign remember-me cookies, login links, password-reset URLs, and CSRF tokens. When this value is publicly known, those signatures can be forged.
  • The official Docker image set APP_SECRET to a placeholder value, and the startup scripts never replaced or validated it. Installations that left this placeholder in place ran with a secret key that’s identical and known to everyone.
  • The bare-metal default configuration ships the same placeholder, so any installation that never set its own APP_SECRET is affected, regardless of deployment type.
  • The attack requires no prior authentication and can be carried out by anyone who can reach the Kimai URL over the network.
  • To take over a specific account, an attacker needs to know a username, guess the correct numeric account ID, and the target account must not have two-factor authentication (2FA) enabled. Account IDs are sequential integers, and the first super_admin account is almost always ID 1.
  • Accounts protected by active 2FA are not affected by this takeover path.
  • Kimai Cloud is not affected because each cloud has a strong and random APP_SECRET.

Solution

  • The startup script now generates a strong, random APP_SECRET on first run, stores it persistently, and writes it into the local environment configuration, so new installations no longer rely on a shared placeholder.
  • The image no longer ships a default secret.
  • The documentation stresses the importance of a unique secret.
  • -Login links were given additional entropy as a defense-in-depth measure (see GHSA-m492-gv72-xvxj).

Existing installations that still use the placeholder value should set a unique and random APP_SECRET immediately.

Users should update to 2.58.0 or newer.

Credits

  • Reported by: AzureADTrent
  • Patched by: kevinpapst

First reported in GitHub advisory: GHSA-jr9p-4h4j-6c58

Top