CVE-2026-44298
Analyzed Analyzed - Analysis Complete
Kimai Time Tracking PDF Invoice Template File Read Vulnerability

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files', ...) inside the sandboxed Twig render. This is forwarded to mPDF's SetAssociatedFiles(), whose writer calls file_get_contents($entry['path']) during PDF output and embeds the bytes as a FlateDecode stream in the PDF. Any file readable by the PHP worker is returned to the attacker inside the rendered invoice. This issue has been patched in version 2.56.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44298
EUVD
EUVD-2026-28517
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kimai kimai From 2.32.0 (inc) to 2.56.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows users with high privileges (System-Admin role and upload_invoice_template permission) to read arbitrary files accessible by the PHP worker process and embed their contents into generated PDFs. This could lead to unauthorized disclosure of sensitive information stored on the server.

Such unauthorized data exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive data to prevent data breaches.

Because the vulnerability enables exfiltration of files without user interaction and with high privileges, organizations using affected versions of Kimai might face increased risk of non-compliance if sensitive data is exposed.

Executive Summary

CVE-2026-44298 is a vulnerability in the Kimai time-tracking application that allows users with the System-Admin role and the upload_invoice_template permission to read arbitrary files on the server.

The issue occurs when such a user uploads a malicious PDF invoice template that exploits the Twig renderer's sandboxed environment by calling pdfContext.setOption('associated_files', ...). This call is forwarded to mPDF's SetAssociatedFiles() function, which uses PHP's file_get_contents() to read files specified in the associated_files array and embeds their contents into the generated PDF.

Because file_get_contents() respects PHP stream wrappers, any file readable by the PHP worker process can be exfiltrated through the rendered invoice PDF.

The root cause is insufficient validation in the Twig security policy and the mPDF converter, which allowed associated_files to be used as a file-reading sink without proper restrictions.

This vulnerability has been fixed in Kimai version 2.56.0 by restricting PdfContext options and removing path entries before passing data to mPDF.

Impact Analysis

This vulnerability can impact you by allowing an attacker with System-Admin role and upload_invoice_template permission to read arbitrary files on the server where Kimai is running.

Sensitive files such as configuration files, credentials, or other data accessible by the PHP worker process could be exposed to the attacker.

The attacker can exfiltrate these files by embedding their contents into a generated PDF invoice, potentially leading to information disclosure.

The vulnerability requires high privileges but can be exploited remotely without user interaction.

Detection Guidance

Detection of this vulnerability involves identifying if your Kimai installation is running a vulnerable version between 2.32.0 and before 2.56.0 and if users with the System-Admin role have the upload_invoice_template permission.

You can check the Kimai version by running commands on the server hosting Kimai, such as:

  • Check the version in the Kimai application interface or by inspecting the version file or composer.lock file if available.
  • Use command line to check installed package version, for example: `grep 'version' composer.lock` or `cat VERSION` if such files exist.

Additionally, review user roles and permissions in Kimai to verify if any user has the System-Admin role with the upload_invoice_template permission.

Since the vulnerability involves uploading malicious PDF invoice templates, monitoring logs for unusual upload activity or PDF generation requests by System-Admin users may help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade Kimai to version 2.56.0 or later, where this vulnerability has been patched.

If immediate upgrade is not possible, restrict the System-Admin users' permissions by removing the upload_invoice_template permission to prevent uploading malicious PDF invoice templates.

Additionally, ensure that the PHP worker process has minimal file read permissions to limit the impact of any potential exploitation.

Monitor and audit user activities related to invoice template uploads and PDF generation.

Also consider upgrading PHP to version 8.2 or higher as recommended in the Kimai 2.56.0 release to maintain security and compatibility.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44298. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart