Login Sign Up

CVE-2026-23626

6.8 MEDIUM

📋 TL;DR

This vulnerability allows authenticated users with export permissions in Kimai time-tracking software to deploy malicious Twig templates that bypass security sandboxing. Attackers can extract sensitive information including environment variables, password hashes, session tokens, and CSRF tokens. All Kimai installations prior to version 2.46.0 are affected.

💻 Affected Systems

Products:
  • Kimai
Versions: All versions prior to 2.46.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user with export permissions; default installations grant these permissions to certain user roles.

📦 What is this software?

Kimai by Kimai

View all CVEs affecting Kimai →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Kimai instance with extraction of all user credentials, session tokens, and sensitive environment data leading to full system takeover.

🟠

Likely Case

Unauthorized access to sensitive user data including password hashes and session tokens, potentially enabling account takeover and lateral movement.

🟢

If Mitigated

Limited impact if proper access controls restrict export permissions to trusted users only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access with export permissions; the vulnerability is in a widely used template engine with known exploitation patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.46.0

Vendor Advisory: https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg

Restart Required: Yes

Instructions:

1. Backup your Kimai installation and database. 2. Update to version 2.46.0 or later via git pull or package manager. 3. Clear cache: bin/console cache:clear. 4. Restart web server. 5. Verify update with bin/console kimai:version.

🔧 Temporary Workarounds

Restrict Export Permissions

all

Temporarily remove export permissions from all non-essential users until patching can be completed.

# Modify user roles in Kimai admin interface to remove export permissions

Disable Export Functionality

all

Temporarily disable the export feature entirely via configuration or code modification.

# Comment out or remove export-related routes in config/routes.yaml

🧯 If You Can't Patch

  • Implement strict access controls to limit export permissions to absolutely necessary users only.
  • Monitor export activity logs for suspicious template usage or unusual export patterns.

🔍 How to Verify

Check if Vulnerable:

Check Kimai version: if version is below 2.46.0, system is vulnerable.

Check Version:

bin/console kimai:version

Verify Fix Applied:

Verify version is 2.46.0 or higher and test export functionality with safe templates.

📡 Detection & Monitoring

Log Indicators:

  • Unusual export activity
  • Template compilation errors
  • Large data exports

Network Indicators:

  • Unusual POST requests to export endpoints
  • Large data transfers from export functionality

SIEM Query:

source="kimai" AND (event="export" OR event="template") AND size>1000000

📊 Metadata

CVE ID: CVE-2026-23626
CVSS v3 Score: 6.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-1336
Published: January 18, 2026
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23626, you might also want to check these:

CVE-2025-46661 10.0

CVE-2025-46661 is an unauthenticated remote code execution vulnerability in IPW Systems Metazo throu...

Same vulnerability type (CWE-1336)
CVE-2025-47916 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary PHP code on Invision...

Same vulnerability type (CWE-1336)
CVE-2024-12583 9.9

The Dynamics 365 Integration plugin for WordPress has a Server-Side Template Injection vulnerability...

Same vulnerability type (CWE-1336)