CVE-2026-44298 Overview
CVE-2026-44298 is a path traversal vulnerability [CWE-22] affecting Kimai, an open-source time tracking application. The flaw exists in versions 2.32.0 through 2.55.x and allows authenticated System-Admin users with the upload_invoice_template permission to read arbitrary files from the server. Attackers exploit the issue by uploading a crafted PDF invoice template that calls pdfContext.setOption('associated_files', ...) inside the sandboxed Twig render. The mPDF library then embeds the target file contents into the rendered invoice output. The maintainers patched the issue in Kimai version 2.56.0.
Critical Impact
Any file readable by the PHP worker process can be exfiltrated through the generated PDF invoice, exposing credentials, configuration, and source code.
Affected Products
- Kimai versions 2.32.0 through 2.55.x
- Kimai self-hosted instances using PDF invoice rendering
- Deployments where the ROLE_SYSTEM_ADMIN role is delegated to multiple users
Discovery Timeline
- 2026-05-08 - CVE-2026-44298 published to NVD
- 2026-05-08 - Last updated in NVD database
Technical Details for CVE-2026-44298
Vulnerability Analysis
The vulnerability stems from unsafe forwarding of Twig template options to the underlying mPDF rendering library. Kimai allows administrators to upload custom PDF invoice templates written in Twig. Inside the sandboxed render context, the template can invoke pdfContext.setOption('associated_files', ...) with an attacker-controlled file path. This option is passed directly to mPDF's SetAssociatedFiles() method. During PDF generation, the writer calls file_get_contents($entry['path']) on each entry and embeds the raw bytes as a FlateDecode stream inside the resulting PDF document.
An attacker who downloads the rendered invoice can extract the embedded stream and recover the file contents. Targets include .env files holding database credentials, application configuration, private keys, and PHP source files.
Root Cause
The Twig sandbox restricts dangerous PHP functions but does not restrict the associated_files option exposed by the pdfContext object. The mPDF writer treats the supplied path as trusted input and reads it from the local filesystem with the privileges of the PHP worker.
Attack Vector
Exploitation requires network access to the Kimai web interface and an authenticated session holding ROLE_SYSTEM_ADMIN with the upload_invoice_template permission. The attacker uploads a malicious Twig invoice template referencing an arbitrary local path, renders an invoice using that template, and downloads the resulting PDF to extract the embedded file stream. No user interaction beyond the attacker's own actions is required.
Verified exploitation details are documented in the Kimai GitHub Security Advisory GHSA-h5fh-7hwr-97mw.
Detection Methods for CVE-2026-44298
Indicators of Compromise
- Unexpected uploads or modifications to PDF invoice templates by System-Admin accounts.
- Twig invoice templates containing references to setOption('associated_files', ...) or pdfContext paths pointing outside the invoice asset directory.
- Generated PDF invoices with unusually large embedded FlateDecode streams or attached files referencing system paths.
Detection Strategies
- Audit the Kimai invoice template directory for templates that invoke associated_files or reference absolute filesystem paths.
- Review application logs for invoice template upload events tied to ROLE_SYSTEM_ADMIN accounts and correlate with subsequent invoice render requests.
- Inspect outbound PDF artifacts for embedded files using PDF parsing tools such as pdfid or peepdf to flag attached streams referencing sensitive locations.
Monitoring Recommendations
- Alert on any modification of invoice_template records in the Kimai database.
- Monitor the PHP worker file access patterns for reads of sensitive files such as .env, parameters.yaml, or /etc/passwd originating from PDF rendering processes.
- Track HTTP requests to invoice upload and render endpoints for anomalies in frequency or template content size.
How to Mitigate CVE-2026-44298
Immediate Actions Required
- Upgrade Kimai to version 2.56.0 or later, which removes the unsafe option forwarding to mPDF.
- Review all existing PDF invoice templates and remove any that reference associated_files or non-standard filesystem paths.
- Audit the assignment of ROLE_SYSTEM_ADMIN and the upload_invoice_template permission, revoking access where not strictly required.
Patch Information
The fix is included in Kimai 2.56.0. Release notes and source changes are available in the Kimai 2.56.0 GitHub Release. Self-hosted operators should follow the standard Kimai upgrade procedure and verify the version string after deployment.
Workarounds
- Restrict the upload_invoice_template permission to a single trusted administrator until the upgrade is complete.
- Run the PHP worker under a least-privilege user account with read access limited to the Kimai application directory.
- Place sensitive files such as .env and private keys outside the document root and outside any directory readable by the PHP worker where feasible.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
