CVE-2026-44298
Kimai: Arbitrary file read in invoice PDF renderer (admin)
In short
Kimai allows administrators with specific permissions to upload malicious PDF invoice templates that can read any file accessible to the web server and embed it in generated PDFs. This lets attackers extract sensitive information like configuration files or credentials.
Technical detail
A path traversal vulnerability (CWE-22) exists in Kimai's PDF invoice renderer where authenticated users with ROLE_SYSTE_ADMIN and upload_invoice_template permission can inject arbitrary file paths via Twig's pdfContext.setOption() in sandboxed templates. The mPDF library then executes file_get_contents() on attacker-controlled paths during PDF generation, allowing exfiltration of files readable by the PHP process.
Summary generated and translated by AI from the official description.
Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files', ...) inside the sandboxed Twig render. This is forwarded to mPDF's SetAssociatedFiles(), whose writer calls file_get_contents($entry['path']) during PDF output and embeds the bytes as a FlateDecode stream in the PDF. Any file readable by the PHP worker is returned to the attacker inside the rendered invoice. This issue has been patched in version 2.56.0.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Affected products
kimai · kimaiWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →