CVE-2026-23626

Name of the Vulnerable Software and Affected Versions Kimai versions prior to 2.46.0

Description Kimai is a web-based multi-user time-tracking application. The export functionality utilizes a Twig sandbox with an overly permissive security policy (DefaultPolicy), enabling arbitrary method calls on objects within the template context. An authenticated user possessing export permissions can leverage this to deploy a malicious Twig template, potentially extracting sensitive information. This information includes environment variables, all user password hashes, serialized session tokens, and CSRF tokens.

Recommendations Update to version 2.46.0 or later.