Kimai - Open Source time-tracker Kimai
Start for free

Invoice PDF export could trigger requests to internal network services

  1. Home
  2. Security
  3. Kimai Advisory CVE-2026-49865

Affected versions

  • Kimai versions <=2.57.0 are affected by this security issue
  • The issue has been fixed in Kimai 2.58.0
  • Severity: Medium
  • The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-49865 to this issue

Description

A vulnerability in Kimai’s invoice PDF generation feature could cause the application server to make outbound HTTP requests to attacker-controlled or internal network addresses. Anyone with permission to edit a customer’s invoice text could trigger this behavior by embedding a specially crafted image reference in that field.

  • Affected feature: Invoice PDF preview and generation
  • Required access: Permission to edit customer records (the customer Invoice Text) and to create invoices, both typically available to admin users only.
  • The customer invoice text field supports Markdown formatting. When a Markdown image is included in that field, Kimai converts it to HTML and passes it to the PDF rendering engine (mPDF). mPDF then fetches the image URL directly from the application server, without any restriction on which addresses it may contact.
  • This allows an attacker to cause the Kimai server to make requests to internal services, metadata endpoints, or attacker-controlled infrastructure — destinations that wouldn’t be reachable from outside the network under normal circumstances.
  • All Kimai installations are affected.

Solution

  • Kimai no longer renders Markdown image syntax. Images are converted to plain links instead, so the PDF renderer doesn’t fetch remote URLs from the customer Invoice Text.
  • mPDF now uses a restricted HTTP client (NoPrivateNetworkHttpClient) that blocks requests to private network addresses, limiting the scope of any remaining image-loading behavior. See the PDF templates documentation for details on which image sources are still supported.
  • Note: These changes may be a breaking change if your invoice or export templates previously embedded images hosted on the Kimai domain itself or on an internal IP address.

Users should update to 2.58.0 or newer.

Credits

  • Reported by: Mitchell45
  • Patched by: kevinpapst

First reported in GitHub advisory: GHSA-pj8j-p4g4-4vw8

Top