CVE-2026-52824
PHP Schwachstellenanalyse und -minderung

Überblick

CVE-2026-52824 is an insecure default initialization vulnerability in the official Kimai Docker image that enables unauthenticated attackers to forge HMAC-signed cookies and authentication tokens, leading to full account takeover including super_admin accounts. The vulnerability affects Kimai versions up to and including 2.57.0 (composer package kimai/kimai), with version 2.58.0 containing the fix. It was first published on June 11, 2026, and added to the GitHub Advisory Database on July 14, 2026. The CVSS v4 base score is 9.1 (Critical) (GitHub Advisory, Kimai Advisory).

Technische Details

The root cause is CWE-1188 (Insecure Default Initialization of Resource): Dockerfile:263 hardcodes ENV APP_SECRET=change_this_to_something_unique, and .env.dist:38 ships the same sentinel value for bare-metal deployments. This value is consumed by config/packages/framework.yaml:7 as Symfony's kernel.secret, which is used to HMAC-sign the KIMAI_REMEMBER remember-me cookie, LoginLink signatures, password reset URLs, and CSRF tokens. Because the .docker/entrypoint.sh performs no validation or replacement of this default, and no startup-time guard exists to refuse launch with the sentinel value, any attacker who knows the publicly-documented default secret can compute valid HMAC signatures. Exploitation requires knowing or guessing a target username and their sequential integer user ID (visible in some URLs and API responses), and the target account must not have 2FA enabled (GitHub Advisory, Kimai Advisory).

Aufprall

Successful exploitation allows an unauthenticated remote attacker to forge valid remember-me cookies or login links for any Kimai account, including the super_admin account (typically user ID 1), effectively achieving complete authentication bypass. This grants full administrative access to the Kimai time-tracking application, exposing all tracked time records, project data, user information, and financial data managed within the instance. Integrity is also compromised as the attacker can modify records, create or delete users, and alter billing data; availability is not directly impacted by this vulnerability (GitHub Advisory).

Ausnutzungsschritte

  1. Reconnaissance: Identify internet-facing Kimai instances deployed via Docker using tools like Shodan or Censys (e.g., searching for Kimai HTTP headers or login page fingerprints). Confirm the instance is running version ≤ 2.57.0.
  2. Enumerate user information: Browse publicly accessible Kimai URLs or API endpoints (e.g., /api/users) to identify usernames and their sequential integer user IDs. The super_admin account is typically id=1.
  3. Obtain the known secret: Use the publicly documented default value change_this_to_something_unique as the APP_SECRET / Symfony kernel.secret.
  4. Forge a remember-me cookie: Using the known secret, compute a valid HMAC signature for a KIMAI_REMEMBER remember-me cookie targeting the desired user ID and username, following Symfony's remember-me cookie format.
  5. Submit the forged cookie: Send an HTTP request to the Kimai instance with the forged KIMAI_REMEMBER cookie set in the browser or HTTP client.
  6. Achieve account takeover: If the target account has no 2FA enabled, Kimai accepts the forged cookie and authenticates the attacker as the target user (e.g., super_admin), granting full administrative access (GitHub Advisory, Kimai Advisory).

Indikatoren für Kompromittierung

  • Network: Unexpected or repeated HTTP requests to Kimai login or API endpoints from unfamiliar IP addresses, particularly with pre-set cookie headers rather than following a normal login flow; requests to /api/users or user profile URLs from unauthenticated sessions.
  • Logs: Kimai/Symfony application logs showing successful authentication events via remember-me cookie (KIMAI_REMEMBER) without a preceding credential-based login, especially for privileged accounts (super_admin); authentication events from unusual geographic locations or IP addresses.
  • File System: Presence of /opt/kimai/.env.local still containing APP_SECRET=change_this_to_something_unique (indicating the patch has not been applied or the file was not regenerated); absence of /opt/kimai/var/data/.appsecret on patched deployments.
  • Application Behavior: Unexpected administrative actions (user creation/deletion, data modification, configuration changes) in audit logs not correlated with known administrator activity (GitHub Advisory).

Risikominderung und Problemumgehungen

Upgrade to Kimai version 2.58.0, which updates entrypoint.sh to auto-generate a random APP_SECRET via bin2hex(random_bytes(32)), stores it in /opt/kimai/var/data/.appsecret, and removes the hardcoded default from the Dockerfile. Additionally, login links now include more entropy (see GHSA-m492-gv72-xvxj), mitigating login link forgery even on instances still using the old secret. As an immediate workaround for deployments that cannot upgrade, explicitly set the APP_SECRET environment variable to a cryptographically strong random value (e.g., 32+ random bytes hex-encoded) in the Docker run command or compose file. Enabling 2FA on all privileged accounts (especially super_admin) significantly reduces the risk of account takeover even if the secret is compromised (Kimai Advisory, GitHub Advisory).

Zusätzliche Ressourcen


QuelleDieser Bericht wurde mithilfe von KI erstellt

Verwandt PHP Schwachstellen:

CVE-Kennung

Strenge

Punktzahl

Technologieen

Name der Komponente

CISA KEV-Exploit

Hat fix

Veröffentlichungsdatum

CVE-2026-52824CRITICAL9.1
  • PHP logoPHP
  • kimai/kimai
NeinJaJul 14, 2026
CVE-2026-52827HIGH7.1
  • PHP logoPHP
  • kimai/kimai
NeinJaJul 14, 2026
CVE-2026-52828MEDIUM5.3
  • PHP logoPHP
  • kimai/kimai
NeinJaJul 14, 2026
CVE-2026-52826MEDIUM5.3
  • PHP logoPHP
  • kimai/kimai
NeinJaJul 14, 2026
CVE-2026-52825MEDIUM5.3
  • PHP logoPHP
  • kimai/kimai
NeinJaJul 14, 2026

Kostenlose Schwachstellenbewertung

Benchmarking Ihrer Cloud-Sicherheitslage

Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.

Bewertung anfordern

Eine personalisierte Demo anfordern

Sind Sie bereit, Wiz in Aktion zu sehen?

"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
David EstlickCISO
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
Adam FletcherSicherheitsbeauftragter
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"
Greg PoniatowskiLeiter Bedrohungs- und Schwachstellenmanagement