CVE-2026-42267
Formula Injection in Kimai Time Tracking Application
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kimai | kimai | From 2.27.0 (inc) to 2.54.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1236 | The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Kimai versions 2.27.0 to 2.53.0, where any user with the ROLE_USER role can create a tag with a formula string (for example, =SUM(54+51)) as its name via the POST /api/tags endpoint and assign it to a timesheet.
When an administrator exports timesheets to XLSX format, the function ArrayFormatter.formatValue() joins tag names without sanitizing them. OpenSpout then interprets any string starting with = as a formula cell, embedding the formula in the XLSX file.
When the exported file is opened in Excel or LibreOffice Calc, the formula executes automatically, potentially allowing malicious code execution or other harmful effects.
The root cause is that tag name validation does not block formula trigger characters like =, +, -, or @, and the sanitizeDDE() function is not called.
How can this vulnerability impact me? :
The impact of this vulnerability is significant because a single malicious tag created by any user can affect all future timesheet exports until the tag is deleted.
When an administrator exports timesheets to XLSX, the malicious formula embedded in the tag name will execute automatically upon opening the file in Excel or LibreOffice Calc.
This can lead to unintended code execution on the administrator's workstation, potentially compromising system security or data integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if any tags created by users with ROLE_USER contain formula strings starting with characters like =, +, -, or @. Specifically, you can inspect tags created via the POST /api/tags endpoint for names that resemble spreadsheet formulas (e.g., =SUM(54+51)).
To detect such tags, you can query the database or use API calls to list tags and filter those starting with formula trigger characters.
- Use an API call or database query to list all tags and check for names starting with '=' or other formula characters.
- Example command (assuming access to the database):
- SQL: SELECT * FROM tags WHERE name LIKE '=%%' OR name LIKE '+%%' OR name LIKE '-%%' OR name LIKE '@%%';
- Alternatively, use curl to fetch tags via API and grep for suspicious names:
- curl -X GET https://your-kimai-instance/api/tags | grep '"name":"='
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing users from creating tags with names starting with formula trigger characters such as =, +, -, or @.
You should update Kimai to version 2.54.0 or later, where this issue has been patched by disallowing = in tag names and using OpenSpout's TextCell for all string values to avoid formula execution.
Until you can update, manually audit and delete any tags with formula-like names to prevent malicious formulas from being included in exported XLSX files.
- Upgrade Kimai to version 2.54.0 or later.
- Audit and remove any tags starting with =, +, -, or @.
- Educate administrators to be cautious when exporting timesheets to XLSX if suspicious tags exist.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly mention the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.