Medium severity4.1GHSA Advisory· Published May 8, 2026· Updated May 8, 2026

CVE-2026-44298

Description

Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files', ...) inside the sandboxed Twig render. This is forwarded to mPDF's SetAssociatedFiles(), whose writer calls file_get_contents($entry['path']) during PDF output and embeds the bytes as a FlateDecode stream in the PDF. Any file readable by the PHP worker is returned to the attacker inside the rendered invoice. This issue has been patched in version 2.56.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
kimai/kimaiPackagist	>= 2.32.0, < 2.56	2.56

Affected products

Kimai/Kimai2 versions
cpe:2.3:a:kimai:kimai:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:kimai:kimai:*:*:*:*:*:*:*:*range: >=2.32.0,<2.56.0
- (no CPE)range: >= 2.32.0, <= 2.55

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-h5fh-7hwr-97mwghsaADVISORY
github.com/kimai/kimai/security/advisories/GHSA-h5fh-7hwr-97mwnvdMitigationVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-44298ghsaADVISORY
github.com/kimai/kimai/releases/tag/2.56.0nvdRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.267
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000