DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-VRQV-52X7-RM4V: GHSA-VRQV-52X7-RM4V: Information Exposure via Unrestricted Twig config() Function in Kimai

#security #cve #cybersecurity #ghsa

GHSA-VRQV-52X7-RM4V: Information Exposure via Unrestricted Twig config() Function in Kimai

Vulnerability ID: GHSA-VRQV-52X7-RM4V
CVSS Score: Not Provided
Published: 2026-05-06

Kimai versions up to 2.55.0 suffer from an information exposure vulnerability where the custom Twig config() function lacks sufficient sandbox restrictions. This flaw allows users with template upload privileges to extract sensitive server-wide configuration values, such as LDAP credentials and SAML private keys, by rendering them into exported invoices or documents.

TL;DR

The Twig config() function in Kimai failed to restrict access to sensitive configuration keys within sandboxed templates. Highly privileged users could exploit this to leak server secrets (LDAP/SAML) into rendered PDFs or HTML exports. The issue is resolved in version 2.56.0.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-200
  • Attack Vector: Application UI (Template Upload)
  • Impact: Confidentiality (Secret Leakage)
  • Privileges Required: High (ROLE_SUPER_ADMIN or upload_invoice_template)
  • Exploit Status: Proof of Concept Known
  • KEV Status: Not Listed

Affected Systems

  • Kimai (Self-Hosted)
  • Kimai: <= 2.55.0 (Fixed in: 2.56.0)

Mitigation Strategies

  • Upgrade Kimai application to a patched release.
  • Restrict the upload_invoice_template permission strictly to trusted administrators.
  • Audit custom invoice templates for suspicious Twig function calls.

Remediation Steps:

  1. Review the current installed version of Kimai.
  2. Schedule a maintenance window and back up the database and files.
  3. Update Kimai to version 2.56.0 or higher following the official documentation.
  4. Review user permissions and ensure only the System-Admin role has template management capabilities.
  5. Inspect existing custom templates under 'System -> Invoices -> Templates' for unauthorized config() usage.

References

Read the full report for GHSA-VRQV-52X7-RM4V on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)