PT-2026-60091 · Packagist · Kimai/Kimai
Publicado
2026-07-14
·
Atualizado
2026-07-14
·
CVE-2026-52824
CVSS v4.0
9.1
Crítica
| Vetor | AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Summary
The official Kimai Docker image ships with
APP SECRET=change this to something unique as the default environment variable. The Docker entrypoint does not override or validate this value. Any Kimai instance deployed using the Docker image without explicitly setting APP SECRET runs with a publicly-known Symfony kernel.secret, enabling an unauthenticated attacker to forge HMAC-signed cookies and login links to take over any account including super admin.Details
Dockerfile:263 sets ENV APP SECRET=change this to something unique. This value is consumed by config/packages/framework.yaml:7 as kernel.secret, which Symfony uses to HMAC-sign:- The
KIMAI REMEMBERremember-me cookie - LoginLink signatures
- Password reset URLs
- CSRF tokens
The
.docker/entrypoint.sh does not check for or replace the default sentinel value. The bare-metal .env.dist:38 ships the same default. No startup-time guard exists anywhere in the codebase that refuses to start when APP SECRET equals the sentinel.User IDs are sequential integers starting from 1. The first super admin account is almost always
id=1. User IDs are visible in some URLs and API responses.A PoC was provided, but removed for security reasons.
Impact
Any Kimai instance deployed via the official Docker image without overriding
APP SECRET can be compromised from the internet. An unauthenticated attacker who can reach the Kimai URL can forge authentication tokens and log in as any user if:- a username is known AND
- the correct account ID for this username is guessed AND
- the account has no active 2FA (two factor) authentication
Solution
- The entrypoint.sh file is updated and now contains a script that generates a random
APP SECRETviabin2hex(random bytes(32))which will be stored in/opt/kimai/var/data/.appsecret - The entrypoint.sh will create the file
/opt/kimai/.env.localcontaining theAPP SECRET, either fetched from the Docker Environment or from the newly created secret file - The documentation was updated to highlight the importance of using a random secret for
APP SECRET - The Dockerfile removed default
APP SECRET=change this to something unique - Login links now contain more entropy (see GHSA-m492-gv72-xvxj) - so even without all previous changes, attackers won't be able to generate Login links even for installations that have a hard-coded
APP SECRET=change this to something unique
See https://www.kimai.org/en/security/ghsa-jr9p-4h4j-6c58 for more information.
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Kimai/Kimai