PT-2026-60091 · Packagist · Kimai/Kimai

Publicado

2026-07-14

·

Atualizado

2026-07-14

·

CVE-2026-52824

CVSS v4.0

9.1

Crítica

VetorAV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

The official Kimai Docker image ships with APP SECRET=change this to something unique as the default environment variable. The Docker entrypoint does not override or validate this value. Any Kimai instance deployed using the Docker image without explicitly setting APP SECRET runs with a publicly-known Symfony kernel.secret, enabling an unauthenticated attacker to forge HMAC-signed cookies and login links to take over any account including super admin.

Details

Dockerfile:263 sets ENV APP SECRET=change this to something unique. This value is consumed by config/packages/framework.yaml:7 as kernel.secret, which Symfony uses to HMAC-sign:
  • The KIMAI REMEMBER remember-me cookie
  • LoginLink signatures
  • Password reset URLs
  • CSRF tokens
The .docker/entrypoint.sh does not check for or replace the default sentinel value. The bare-metal .env.dist:38 ships the same default. No startup-time guard exists anywhere in the codebase that refuses to start when APP SECRET equals the sentinel.
User IDs are sequential integers starting from 1. The first super admin account is almost always id=1. User IDs are visible in some URLs and API responses.
A PoC was provided, but removed for security reasons.

Impact

Any Kimai instance deployed via the official Docker image without overriding APP SECRET can be compromised from the internet. An unauthenticated attacker who can reach the Kimai URL can forge authentication tokens and log in as any user if:
  • a username is known AND
  • the correct account ID for this username is guessed AND
  • the account has no active 2FA (two factor) authentication

Solution

  • The entrypoint.sh file is updated and now contains a script that generates a random APP SECRET via bin2hex(random bytes(32)) which will be stored in /opt/kimai/var/data/.appsecret
  • The entrypoint.sh will create the file /opt/kimai/.env.local containing the APP SECRET, either fetched from the Docker Environment or from the newly created secret file
  • The documentation was updated to highlight the importance of using a random secret for APP SECRET
  • The Dockerfile removed default APP SECRET=change this to something unique
  • Login links now contain more entropy (see GHSA-m492-gv72-xvxj) - so even without all previous changes, attackers won't be able to generate Login links even for installations that have a hard-coded APP SECRET=change this to something unique

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-52824
GHSA-JR9P-4H4J-6C58

Produtos afetados

Kimai/Kimai