← Zuruck zu CVEs

CVE-2026-23626

MEDIUM

6.8

Beschreibung

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue.

CVE Details

CVSS v3.1 Bewertung6.8

SchweregradMEDIUM

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienHIGH

BenutzerinteraktionNONE

Veroffentlicht1/18/2026

Zuletzt geandert2/18/2026

Quellenvd

Honeypot-Sichtungen0

Betroffene Produkte

kimai:kimai

Schwachen (CWE)

CWE-1336

Referenzen

https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f(security-advisories@github.com)

https://github.com/kimai/kimai/pull/5757(security-advisories@github.com)

https://github.com/kimai/kimai/releases/tag/2.46.0(security-advisories@github.com)

https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg(security-advisories@github.com)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.