
Cloud Vulnerability DB
Eine von der Community geführte Datenbank für Schwachstellen
CVE-2026-52824 is an insecure default initialization vulnerability in the official Kimai Docker image that enables unauthenticated attackers to forge HMAC-signed cookies and authentication tokens, leading to full account takeover including super_admin accounts. The vulnerability affects Kimai versions up to and including 2.57.0 (composer package kimai/kimai), with version 2.58.0 containing the fix. It was first published on June 11, 2026, and added to the GitHub Advisory Database on July 14, 2026. The CVSS v4 base score is 9.1 (Critical) (GitHub Advisory, Kimai Advisory).
The root cause is CWE-1188 (Insecure Default Initialization of Resource): Dockerfile:263 hardcodes ENV APP_SECRET=change_this_to_something_unique, and .env.dist:38 ships the same sentinel value for bare-metal deployments. This value is consumed by config/packages/framework.yaml:7 as Symfony's kernel.secret, which is used to HMAC-sign the KIMAI_REMEMBER remember-me cookie, LoginLink signatures, password reset URLs, and CSRF tokens. Because the .docker/entrypoint.sh performs no validation or replacement of this default, and no startup-time guard exists to refuse launch with the sentinel value, any attacker who knows the publicly-documented default secret can compute valid HMAC signatures. Exploitation requires knowing or guessing a target username and their sequential integer user ID (visible in some URLs and API responses), and the target account must not have 2FA enabled (GitHub Advisory, Kimai Advisory).
Successful exploitation allows an unauthenticated remote attacker to forge valid remember-me cookies or login links for any Kimai account, including the super_admin account (typically user ID 1), effectively achieving complete authentication bypass. This grants full administrative access to the Kimai time-tracking application, exposing all tracked time records, project data, user information, and financial data managed within the instance. Integrity is also compromised as the attacker can modify records, create or delete users, and alter billing data; availability is not directly impacted by this vulnerability (GitHub Advisory).
/api/users) to identify usernames and their sequential integer user IDs. The super_admin account is typically id=1.change_this_to_something_unique as the APP_SECRET / Symfony kernel.secret.KIMAI_REMEMBER remember-me cookie targeting the desired user ID and username, following Symfony's remember-me cookie format.KIMAI_REMEMBER cookie set in the browser or HTTP client./api/users or user profile URLs from unauthenticated sessions.KIMAI_REMEMBER) without a preceding credential-based login, especially for privileged accounts (super_admin); authentication events from unusual geographic locations or IP addresses./opt/kimai/.env.local still containing APP_SECRET=change_this_to_something_unique (indicating the patch has not been applied or the file was not regenerated); absence of /opt/kimai/var/data/.appsecret on patched deployments.Upgrade to Kimai version 2.58.0, which updates entrypoint.sh to auto-generate a random APP_SECRET via bin2hex(random_bytes(32)), stores it in /opt/kimai/var/data/.appsecret, and removes the hardcoded default from the Dockerfile. Additionally, login links now include more entropy (see GHSA-m492-gv72-xvxj), mitigating login link forgery even on instances still using the old secret. As an immediate workaround for deployments that cannot upgrade, explicitly set the APP_SECRET environment variable to a cryptographically strong random value (e.g., 32+ random bytes hex-encoded) in the Docker run command or compose file. Enabling 2FA on all privileged accounts (especially super_admin) significantly reduces the risk of account takeover even if the secret is compromised (Kimai Advisory, GitHub Advisory).
Quelle: Dieser Bericht wurde mithilfe von KI erstellt
Kostenlose Schwachstellenbewertung
Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.
Eine personalisierte Demo anfordern
"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"