1. Home
2. Security
3. Kimai Advisory GHSA-m492-gv72-xvxj

Affected versions

• Affected versions: <= 2.57.0
• Patched version: 2.58.0
• Advisory published: 22 May 2026

Severity

Severity: Low

We have not requested an official CVE ID for this security advisory.

Vulnerability

After a user clicked a password reset link in Kimai and set a new password, the same link could still be used up to 2 times within the next hour.

Info

• The issue affects password reset links and the admin “login link” feature generated through bin/console kimai:user:login-link
• The cryptographic signature on these links only covered the user’s internal ID. It did not depend on the current password, so changing the password did not invalidate the link.
• A user who reset their password in response to a suspected compromise might believe the account is secure, while the leaked link still grants access for a short time.
• All Kimai installations (OnPremise and Cloud) are affected.

Why we didn’t request a CVE

The issue is largely theoretical. After the password is changed, the same link can be reused at most two more times, and only within the one-hour window during which the original reset link was issued.

In addition, the link must reach someone other than the legitimate user. If an attacker already has access to the user’s mailbox, the underlying problem lies outside of Kimai.

Solution

Login links now include the user’s password hash in their signature, so any existing link immediately becomes invalid as soon as the password is changed. Users should update to 2.58.0 or newer.

Users should update to 2.58.0 or newer.

Credits

• Reported by: AzureADTrent
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-m492-gv72-xvxj