1. Home
2. Security
3. Kimai Advisory GHSA-jrc6-fmhw-fpq2

Affected versions

• Affected versions: <=2.53.0
• Patched version: 2.54.0
• Advisory published: 16 Apr 2026

Severity

Severity: Low

We have not requested an official CVE ID for this security advisory.

Vulnerability

Kimai exposed a small timing difference in the legacy API authentication flow that accepted X-AUTH-USER and X-AUTH-TOKEN header. In affected versions, requests for existing usernames took measurably longer than requests for unknown usernames, which could allow user enumeration through repeated timing analysis.

The response body and HTTP status stayed identical, so the leak was limited to request timing only.

Info

This issue affected the legacy API password authentication mechanism that has already been deprecated.

• The authenticator performed password hash verification only when the requested user existed
• Requests for unknown usernames returned faster because no equivalent hash verification work was performed
• Attackers could use repeated probes to distinguish valid usernames from invalid ones
• The practical impact was limited because the gap was small and easier to observe locally than across a real network

Solution

Users should update to 2.54.0 or newer.

Administrators can block HTTP requests that include the X-AUTH-USER and X-AUTH-TOKEN header in their webserver.

Credits

• Reported by: melnicek
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-jrc6-fmhw-fpq2