Kimai - Open Source time-tracker Kimai
Login Start for free

API password hash leakage via invoice Twig template

  1. Home
  2. Security
  3. Kimai Advisory GHSA-rh42-6rj2-xwmc

Affected versions

  • Affected versions: <= 2.52.0
  • Patched version: 2.53.0
  • Advisory published: 11 Apr 2026

Severity

Severity: Low

We have not requested an official CVE ID for this security advisory.

Vulnerability

Kimai allowed invoice Twig templates to access API token related user methods that should not have been exposed in the sandbox. In affected versions, a crafted invoice template could include the hashed API token of the user who generated the invoice in the rendered output.

Info

This issue was caused by an incomplete method blocklist in the Twig security policy.

  • Sensitive user methods such as password-related accessors were blocked, but API token methods were not
  • A malicious or careless invoice template could therefore access token-related data through the invoice model
  • The practical impact is limited because API passwords are deprecated and the leaked value is a hash, not a reusable plaintext token
  • Only a System-Admin (with the permission upload_invoice_template) could upload such crafted templates.
  • Kimai Cloud is not affected because Twig templates have to pass a manual review process

Solution

Users should update to 2.53.0 or newer.

Credits

  • Reported by: hett-patell
  • Patched by: kevinpapst

First reported in GitHub advisory: GHSA-rh42-6rj2-xwmc

Top