CVE-2026-23626: Kimai has an Authenticated Server-Side Template Injection (SSTI)
| Field | Value |
|---|---|
| Title | Authenticated SSTI via Permissive Export Template Sandbox |
| Attack Complexity | Low |
| Privileges Required | High (Admin with export permissions and server access) |
| User Interaction | None |
| Impact | Confidentiality: HIGH (Credential/Secret Extraction) |
| Affected Versions | Kimai 2.45.0 (likely earlier versions) |
| Tested On | Docker: kimai/kimai2:apache-2.45.0 |
| Discovery Date | 2026-01-05 |
Why Scope is “Changed”: The extracted APP_SECRET can be used to forge Symfony login links for ANY user account, expanding the attack beyond the initially compromised admin context.
References
- github.com/advisories/GHSA-jg2j-2w24-54cg
- github.com/kimai/kimai
- github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f
- github.com/kimai/kimai/pull/5757
- github.com/kimai/kimai/releases/tag/2.46.0
- github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg
- nvd.nist.gov/vuln/detail/CVE-2026-23626
- twig.symfony.com/doc/3.x/api.html
Code Behaviors & Features
Detect and mitigate CVE-2026-23626 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →