CVE-2026-23626

MEDIUM

Kimai < 2.46.0 - Authenticated Information Disclosure via Twig Template Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-23626. PoCs published by HUSEYNKHANLI.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-23626, a Server-Side Template Injection (SSTI) vulnerability in Kimai 2.45.0. The exploit leverages an overly permissive Twig sandbox policy to extract sensitive data such as environment variables, password hashes, and session tokens.

Description

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue.

Exploits (1)

github WORKING POC 1 stars

by HUSEYNKHANLI · pythonpoc

https://github.com/HUSEYNKHANLI/CVEs/tree/main/CVE-2026-23626

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-23626, a Server-Side Template Injection (SSTI) vulnerability in Kimai 2.45.0. The exploit leverages an overly permissive Twig sandbox policy to extract sensitive data such as environment variables, password hashes, and session tokens.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Kimai 2.45.0

Auth required

Prerequisites: Authenticated access with export permissions · Ability to deploy a malicious Twig template

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory x_refsource_confirm

https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg

Issue Tracking x_refsource_misc

https://github.com/kimai/kimai/pull/5757

Patch x_refsource_misc

https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f

View Patch ZIP pw:eip

Release Notes x_refsource_misc

https://github.com/kimai/kimai/releases/tag/2.46.0

Scores

CVSS v3 6.8

EPSS 0.0007

EPSS Percentile 22.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1336

Status published

Products (2)

kimai/kimai < 2.46.0

kimai/kimai 0 - 2.46.0Packagist

Published Jan 18, 2026

Tracked Since Feb 18, 2026