CVE-2026-44298

Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files', ...) inside the sandboxed Twig render. This is forwarded to mPDF's SetAssociatedFiles(), whose writer calls file_get_contents($entry['path']) during PDF output and embeds the bytes as a FlateDecode stream in the PDF. Any file readable by the PHP worker is returned to the attacker inside the rendered invoice. This issue has been patched in version 2.56.0.

CVSS v3 4.1 MEDIUM

4.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/kimai/kimai/releases/tag/2.56.0	Release Notes
https://github.com/kimai/kimai/security/advisories/GHSA-h5fh-7hwr-97mw	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:kimai:kimai:*:*:*:*:*:*:*:*

History

08 May 2026, 20:01

Type	Values Removed	Values Added
First Time		Kimai kimai Kimai
CPE		cpe:2.3:a:kimai:kimai::::::::
References	~~() https://github.com/kimai/kimai/releases/tag/2.56.0 -~~	() https://github.com/kimai/kimai/releases/tag/2.56.0 - Release Notes
References	~~() https://github.com/kimai/kimai/security/advisories/GHSA-h5fh-7hwr-97mw -~~	() https://github.com/kimai/kimai/security/advisories/GHSA-h5fh-7hwr-97mw - Mitigation, Vendor Advisory

08 May 2026, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-08 04:16

Updated : 2026-05-08 20:01

NVD link : CVE-2026-44298

Mitre link : CVE-2026-44298

CVE.ORG link : CVE-2026-44298

JSON object : View

Products Affected

kimai

kimai

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-44298", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2026-05-08T04:16:24.230", "references": [{"url": "https://github.com/kimai/kimai/releases/tag/2.56.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kimai/kimai/security/advisories/GHSA-h5fh-7hwr-97mw", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files', ...) inside the sandboxed Twig render. This is forwarded to mPDF's SetAssociatedFiles(), whose writer calls file_get_contents($entry['path']) during PDF output and embeds the bytes as a FlateDecode stream in the PDF. Any file readable by the PHP worker is returned to the attacker inside the rendered invoice. This issue has been patched in version 2.56.0."}], "lastModified": "2026-05-08T20:01:41.847", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kimai:kimai:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89508F96-AB37-476D-82CD-B4750C90BDD8", "versionEndExcluding": "2.56.0", "versionStartIncluding": "2.32.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}