CVE-2026-23626
Arbitrary Method Call Vulnerability in Kimai Export Function
Publication date: 2026-01-18
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kimai | kimai | to 2.46.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23626 is an authenticated Server-Side Template Injection (SSTI) vulnerability in Kimai versions prior to 2.46.0. The vulnerability arises because Kimai's export functionality uses a Twig sandbox with an overly permissive security policy called DefaultPolicy, which allows arbitrary method calls and property access on objects within the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information such as environment variables (e.g., APP_SECRET), all user password hashes, serialized session tokens, and CSRF tokens. This occurs because the DefaultPolicy disables all security checks, allowing unrestricted access to internal objects and methods during template rendering. [3]
How can this vulnerability impact me? :
This vulnerability can have a severe impact on confidentiality. An attacker with export permissions (typically admin-level roles) can extract highly sensitive data including environment variables like APP_SECRET and DATABASE_URL, serialized session tokens, all user password hashes, and CSRF tokens. With the APP_SECRET, the attacker can forge Symfony login links for any user, potentially leading to full system compromise. The attack requires no user interaction beyond authentication and can be executed remotely via the web interface. There is no demonstrated impact on integrity or availability, but the confidentiality breach can lead to complete takeover of the system. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your Kimai installation is running a vulnerable version (prior to 2.46.0) and if there are any suspicious export activities using malicious Twig templates. Since exploitation requires an authenticated user with export permissions deploying a malicious Twig template and triggering export via HTTP POST to /en/export/data, monitoring web server logs for POST requests to this endpoint and unusual export template files in /opt/kimai/var/export/ can help detect exploitation attempts. Additionally, checking for presence of suspicious PDF export files or unexpected data extraction patterns may indicate exploitation. Specific commands could include: 1) Checking Kimai version: `kimai --version` or reviewing installed package versions. 2) Listing export templates: `ls -l /opt/kimai/var/export/` to find unauthorized or suspicious Twig templates. 3) Monitoring web server logs for export POST requests: `grep '/en/export/data' /var/log/nginx/access.log` or equivalent. 4) Using PDF text extraction tools like `pdftotext` on recent export PDFs to check for leaked sensitive data. However, no explicit detection commands are provided in the resources. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Upgrade Kimai to version 2.46.0 or later, where the vulnerability is patched by restricting the Twig sandbox security policy. 2) Restrict export permissions strictly to trusted, high-privilege users only (e.g., ROLE_ADMIN, ROLE_SUPER_ADMIN, ROLE_TEAMLEAD). 3) Avoid allowing untrusted users to deploy or modify Twig export templates on the filesystem. 4) Monitor and audit export template files and export activities for suspicious behavior. These steps reduce the risk of exploitation by limiting access and applying the security fix. [3, 1, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user with export permissions to extract sensitive information such as environment variables, all user password hashes, serialized session tokens, and CSRF tokens. The exposure of such sensitive personal and security-related data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on personal and sensitive data confidentiality. Therefore, the vulnerability poses a significant risk to compliance with these standards by enabling unauthorized access and potential misuse of protected data. [3]