GHSA-3jp4-mhh4-gcgr: Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS Handler

April 14, 2026

The SAML authentication success handler in Kimai returns the RelayState POST parameter as a redirect destination without validating the host or scheme. After a user successfully authenticates via SAML, they are redirected to an attacker-controlled URL if the IdP includes a malicious RelayState value. This enables phishing attacks that steal credentials or session tokens post-SSO.

Requires SAML to be enabled (non-default configuration).

References

github.com/advisories/GHSA-3jp4-mhh4-gcgr
github.com/kimai/kimai
github.com/kimai/kimai/pull/5878
github.com/kimai/kimai/security/advisories/GHSA-3jp4-mhh4-gcgr

Code Behaviors & Features

Detect and mitigate GHSA-3jp4-mhh4-gcgr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →