PT-2026-34829 · Packagist · Kimai/Kimai
Published
2026-04-14
·
Updated
2026-04-14
CVSS v3.1
2.0
Low
| Vector | AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N |
Summary
The Twig sandbox used for invoice templates blocks certain sensitive
User methods (password, TOTP secret, etc.) via a blocklist in StrictPolicy::checkMethodAllowed(). However, getApiToken() and getPlainApiToken() are not on the blocklist. An admin who creates an invoice template can embed calls to these methods, causing the bcrypt or sodium hashed API password of any user who generates an invoice using that template to be included in the rendered output.Only relevant for OnPremise installations with template upload activated.
Background
Kimai allows admins (
ROLE ADMIN and above) with the manage invoice template permission to create Twig-based invoice templates. These templates are rendered in a sandboxed Twig environment with StrictPolicy controlling which methods and properties are accessible.StrictPolicy explicitly blocks:php
// src/Twig/SecurityPolicy/StrictPolicy.php:156
if (in array($lcm, [
'getpassword',
'gettotpsecret',
'getplainpassword',
'getconfirmationtoken',
'gettotpauthenticationconfiguration'
], true)) {
throw new SecurityNotAllowedMethodError(...);
}getApiToken() and getPlainApiToken() are not in this list and are freely callable.Vulnerable Code
StrictPolicy.php — missing entries in the User method blocklist:php
// Current
['getpassword', 'gettotpsecret', 'getplainpassword', 'getconfirmationtoken', 'gettotpauthenticationconfiguration']
// Should also include:
'getapitoken', 'getplainapitoken'The invoice model passes a
User object through model.user, accessible in any twig invoice template.Steps to Reproduce
- Log in as an admin with the
manage invoice templatepermission. - Create a new Twig invoice template (HTML or PDF) containing:
twig
API Token: {{ model.user.getApiToken() }}
Plain Token: {{ model.user.getPlainApiToken() }}- Save the template and set it as the default for a customer.
- Log in as a regular user assigned to that customer and generate an invoice.
- Observe that the rendered invoice contains the user's API token in plaintext.
Impact
An admin can silently embed token-exfiltration code in a shared invoice template. Every user who subsequently generates an invoice using that template will have their hashed API token leaked into the invoice output.
- API passwords are deprecated since April 2024 and not in wide use anymore (especially by new users)
- The function
getPlainApiToken()does NEVER return any data - The function
getApiToken()might return a bcrypt or sodium hashed API password, if the user (who created the invoice) has configured one - this cannot be used, but needs to be cracked using rainbow tables - The cloud does not allow Twig template upload, this is only relevant for OnPremise installations with template upload activated
Fix
The SecurityPolicy was changed to exclude methods that contains certain trigger words instead of using the hard-coded list, see https://github.com/kimai/kimai/pull/5878
This disables access to both the
getApiToken() and getPlainApiToken() function.Fix
Incomplete List of Disallowed Inputs
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kimai/Kimai