Kimai - Open Source time-tracker Kimai
Login Start for free

Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice/export templates

  1. Home
  2. Security
  3. Kimai Advisory GHSA-vrqv-52x7-rm4v

Affected versions

  • Affected versions: <= 2.55.0
  • Patched version: 2.56.0
  • Advisory published: 27 Apr 2026

Severity

Severity: Low

We have not requested an official CVE ID for this security advisory.

Vulnerability

The Twig sandbox used for invoice and export HTML/PDF templates lets the config() function read any value from the Kimai system configuration.

A System-Admin (ROLE_SUPER_ADMIN) who uploads a crafted invoice template can therefore render server-wide secrets — such as the LDAP bind password or the SAML SP private key — into the generated invoice. The resulting PDF or HTML is then handed to whoever creates an invoice from that template, including lower-privileged users such as teamleads with invoice permissions.

Info

  • Affected versions: <= 2.55.0. The sandbox issue affects both invoice and export HTML/PDF templates.
  • The practical attack vector is invoice templates: they can be uploaded through the Kimai admin UI with the permission upload_invoice_template, which by default is held only by System-Admin (ROLE_SUPER_ADMIN).
  • Custom export HTML/PDF templates cannot be uploaded through the UI. Reaching the export side requires direct filesystem access to the Kimai installation, which already implies a much stronger attacker position.
  • Secrets become reachable when both conditions are met:
    1. LDAP or SAML is configured in kimai.yaml (or another secret is stored in the system configuration).
    2. A System-Admin with upload_invoice_template acts maliciously and uploads a crafted template.
  • Once the template is in place, every invoice generated from it embeds the leaked configuration into the downloadable PDF or HTML output.
  • Kimai Cloud is not affected because Twig templates have to pass a manual review process.

Solution

The config() function now refuses access to any key under saml. or ldap., regardless of where it is called from.

Inside sandboxed invoice and export templates, config() is further restricted to a fixed allow-list of configuration keys that are safe to expose in generated documents.

Users should update to 2.56.0 or newer.

Credits

  • Reported by: fg0x0
  • Patched by: kevinpapst

First reported in GitHub advisory: GHSA-vrqv-52x7-rm4v

Top