Compliance Impact

This vulnerability allows an authenticated user with export permissions to extract sensitive information such as environment variables, all user password hashes, serialized session tokens, and CSRF tokens. The exposure of such sensitive personal and security-related data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on personal and sensitive data confidentiality. Therefore, the vulnerability poses a significant risk to compliance with these standards by enabling unauthorized access and potential misuse of protected data. [3]

Useful 0 Not Useful 0

Executive Summary

CVE-2026-23626 is an authenticated Server-Side Template Injection (SSTI) vulnerability in Kimai versions prior to 2.46.0. The vulnerability arises because Kimai's export functionality uses a Twig sandbox with an overly permissive security policy called DefaultPolicy, which allows arbitrary method calls and property access on objects within the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information such as environment variables (e.g., APP_SECRET), all user password hashes, serialized session tokens, and CSRF tokens. This occurs because the DefaultPolicy disables all security checks, allowing unrestricted access to internal objects and methods during template rendering. [3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a severe impact on confidentiality. An attacker with export permissions (typically admin-level roles) can extract highly sensitive data including environment variables like APP_SECRET and DATABASE_URL, serialized session tokens, all user password hashes, and CSRF tokens. With the APP_SECRET, the attacker can forge Symfony login links for any user, potentially leading to full system compromise. The attack requires no user interaction beyond authentication and can be executed remotely via the web interface. There is no demonstrated impact on integrity or availability, but the confidentiality breach can lead to complete takeover of the system. [3]

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your Kimai installation is running a vulnerable version (prior to 2.46.0) and if there are any suspicious export activities using malicious Twig templates. Since exploitation requires an authenticated user with export permissions deploying a malicious Twig template and triggering export via HTTP POST to /en/export/data, monitoring web server logs for POST requests to this endpoint and unusual export template files in /opt/kimai/var/export/ can help detect exploitation attempts. Additionally, checking for presence of suspicious PDF export files or unexpected data extraction patterns may indicate exploitation. Specific commands could include: 1) Checking Kimai version: `kimai --version` or reviewing installed package versions. 2) Listing export templates: `ls -l /opt/kimai/var/export/` to find unauthorized or suspicious Twig templates. 3) Monitoring web server logs for export POST requests: `grep '/en/export/data' /var/log/nginx/access.log` or equivalent. 4) Using PDF text extraction tools like `pdftotext` on recent export PDFs to check for leaked sensitive data. However, no explicit detection commands are provided in the resources. [3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: 1) Upgrade Kimai to version 2.46.0 or later, where the vulnerability is patched by restricting the Twig sandbox security policy. 2) Restrict export permissions strictly to trusted, high-privilege users only (e.g., ROLE_ADMIN, ROLE_SUPER_ADMIN, ROLE_TEAMLEAD). 3) Avoid allowing untrusted users to deploy or modify Twig export templates on the filesystem. 4) Monitor and audit export template files and export activities for suspicious behavior. These steps reduce the risk of exploitation by limiting access and applying the security fix. [3, 1, 4]

Useful 0 Not Useful 0