CVE-2026-44298

MEDIUM 4.1

Kimai: Arbitrary file read in invoice PDF renderer (admin)

CVSS Score

4.1

EPSS Score

0.0%

EPSS Percentile

0th

Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files', ...) inside the sandboxed Twig render. This is forwarded to mPDF's SetAssociatedFiles(), whose writer calls file_get_contents($entry['path']) during PDF output and embeds the bytes as a FlateDecode stream in the PDF. Any file readable by the PHP worker is returned to the attacker inside the rendered invoice. This issue has been patched in version 2.56.0.

CWE	CWE-22
Vendor	kimai
Product	kimai
Published	May 8, 2026
Last Updated	May 8, 2026

Stay Ahead of the Next One

Get instant alerts for kimai kimai

Be the first to know when new medium vulnerabilities affecting kimai kimai are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

kimai / kimai

>= 2.32.0, < 2.56.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/kimai/kimai/security/advisories/GHSA-h5fh-7hwr-97mw github.com: https://github.com/kimai/kimai/releases/tag/2.56.0