CVE-2026-44298
Kimai Time Tracking PDF Invoice Template File Read Vulnerability
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kimai | kimai | From 2.32.0 (inc) to 2.56.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44298 is a vulnerability in the Kimai time-tracking application that allows users with the System-Admin role and the upload_invoice_template permission to read arbitrary files on the server.
The issue occurs when such a user uploads a malicious PDF invoice template that exploits the Twig renderer's sandboxed environment by calling pdfContext.setOption('associated_files', ...). This call is forwarded to mPDF's SetAssociatedFiles() function, which uses PHP's file_get_contents() to read files specified in the associated_files array and embeds their contents into the generated PDF.
Because file_get_contents() respects PHP stream wrappers, any file readable by the PHP worker process can be exfiltrated through the rendered invoice PDF.
The root cause is insufficient validation in the Twig security policy and the mPDF converter, which allowed associated_files to be used as a file-reading sink without proper restrictions.
This vulnerability has been fixed in Kimai version 2.56.0 by restricting PdfContext options and removing path entries before passing data to mPDF.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with System-Admin role and upload_invoice_template permission to read arbitrary files on the server where Kimai is running.
Sensitive files such as configuration files, credentials, or other data accessible by the PHP worker process could be exposed to the attacker.
The attacker can exfiltrate these files by embedding their contents into a generated PDF invoice, potentially leading to information disclosure.
The vulnerability requires high privileges but can be exploited remotely without user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your Kimai installation is running a vulnerable version between 2.32.0 and before 2.56.0 and if users with the System-Admin role have the upload_invoice_template permission.
You can check the Kimai version by running commands on the server hosting Kimai, such as:
- Check the version in the Kimai application interface or by inspecting the version file or composer.lock file if available.
- Use command line to check installed package version, for example: `grep 'version' composer.lock` or `cat VERSION` if such files exist.
Additionally, review user roles and permissions in Kimai to verify if any user has the System-Admin role with the upload_invoice_template permission.
Since the vulnerability involves uploading malicious PDF invoice templates, monitoring logs for unusual upload activity or PDF generation requests by System-Admin users may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Kimai to version 2.56.0 or later, where this vulnerability has been patched.
If immediate upgrade is not possible, restrict the System-Admin users' permissions by removing the upload_invoice_template permission to prevent uploading malicious PDF invoice templates.
Additionally, ensure that the PHP worker process has minimal file read permissions to limit the impact of any potential exploitation.
Monitor and audit user activities related to invoice template uploads and PDF generation.
Also consider upgrading PHP to version 8.2 or higher as recommended in the Kimai 2.56.0 release to maintain security and compatibility.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows users with high privileges (System-Admin role and upload_invoice_template permission) to read arbitrary files accessible by the PHP worker process and embed their contents into generated PDFs. This could lead to unauthorized disclosure of sensitive information stored on the server.
Such unauthorized data exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive data to prevent data breaches.
Because the vulnerability enables exfiltration of files without user interaction and with high privileges, organizations using affected versions of Kimai might face increased risk of non-compliance if sensitive data is exposed.