{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23626", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-14T16:08:37.482Z", "datePublished": "2026-01-18T22:45:35.942Z", "dateUpdated": "2026-01-20T20:07:08.477Z"}, "containers": {"cna": {"title": "Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)", "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg"}, {"name": "https://github.com/kimai/kimai/pull/5757", "tags": ["x_refsource_MISC"], "url": "https://github.com/kimai/kimai/pull/5757"}, {"name": "https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f", "tags": ["x_refsource_MISC"], "url": "https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f"}, {"name": "https://github.com/kimai/kimai/releases/tag/2.46.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/kimai/kimai/releases/tag/2.46.0"}], "affected": [{"vendor": "kimai", "product": "kimai", "versions": [{"version": "< 2.46.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-18T22:45:35.942Z"}, "descriptions": [{"lang": "en", "value": "Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue."}], "source": {"advisory": "GHSA-jg2j-2w24-54cg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T19:37:30.485752Z", "id": "CVE-2026-23626", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T20:07:08.477Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23626", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T19:37:30.485752Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T19:37:31.497Z"}}], "cna": {"title": "Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)", "source": {"advisory": "GHSA-jg2j-2w24-54cg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kimai", "product": "kimai", "versions": [{"status": "affected", "version": "< 2.46.0"}]}], "references": [{"url": "https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg", "name": "https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kimai/kimai/pull/5757", "name": "https://github.com/kimai/kimai/pull/5757", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f", "name": "https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/kimai/kimai/releases/tag/2.46.0", "name": "https://github.com/kimai/kimai/releases/tag/2.46.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-18T22:45:35.942Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23626", "state": "PUBLISHED", "dateUpdated": "2026-01-20T20:07:08.477Z", "dateReserved": "2026-01-14T16:08:37.482Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-18T22:45:35.942Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kimai:kimai:*:*:*:*:*:*:*:*", "matchCriteriaId": "47DBF927-9B2F-4E84-9D11-0BB8793F2015", "versionEndExcluding": "2.46.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue."}], "id": "CVE-2026-23626", "lastModified": "2026-02-18T16:30:19.177", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-18T23:15:48.393", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/kimai/kimai/pull/5757"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/kimai/kimai/releases/tag/2.46.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T05:25:41.891516+00:00", "value": {"mitigation_remediation": ["Upgrade Kimai to version 2.46.0 or later.", "Restrict export permissions to trusted administrators.", "Review and enforce proper sandbox policies for template rendering."], "summary": {"action": "Update Immediately", "impact": "Data Exfiltration via SSTI"}, "threat_synthesis": {"affected_systems": "All Kimai installations running a version earlier than 2.46.0 are affected. The vulnerable product is Kimai, the open\u2011source time\u2011tracking application.", "description_and_impact": "Kimai's export feature previously used a permissive Twig sandbox enabling arbitrary method calls on template context objects. An authenticated user with export rights can supply a malicious template that reads environment variables, user password hashes, session tokens, and CSRF tokens, compromising confidentiality.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.8 (moderate) and a low EPSS probability (<1%), and it is not listed in the CISA KEV catalog. Exploitation requires a legitimate user account with export permissions; a suitable attacker could then deploy a crafted template and retrieve sensitive data. The attack is limited to the affected user's authorization level, but the data exposed could allow further lateral movement if passwords or session tokens are harvested."}}}}, "created": "2026-01-19T09:19:04.054528+00:00", "updated": "2026-04-18T05:30:25.846591+00:00", "vendors": ["kimai", "kimai$PRODUCT$kimai"]}