GHSA-rh42-6rj2-xwmc: Kimai leaks API Token Hash via Invoice Twig Template

April 14, 2026

The Twig sandbox used for invoice templates blocks certain sensitive User methods (password, TOTP secret, etc.) via a blocklist in StrictPolicy::checkMethodAllowed(). However, getApiToken() and getPlainApiToken() are not on the blocklist. An admin who creates an invoice template can embed calls to these methods, causing the bcrypt or sodium hashed API password of any user who generates an invoice using that template to be included in the rendered output.

Only relevant for OnPremise installations with template upload activated.

References

github.com/advisories/GHSA-rh42-6rj2-xwmc
github.com/kimai/kimai
github.com/kimai/kimai/pull/5878
github.com/kimai/kimai/security/advisories/GHSA-rh42-6rj2-xwmc

Code Behaviors & Features

Detect and mitigate GHSA-rh42-6rj2-xwmc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →