Vulnerability Description
Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files', ...) inside the sandboxed Twig render. This is forwarded to mPDF's SetAssociatedFiles(), whose writer calls file_get_contents($entry['path']) during PDF output and embeds the bytes as a FlateDecode stream in the PDF. Any file readable by the PHP worker is returned to the attacker inside the rendered invoice. This issue has been patched in version 2.56.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kimai | Kimai | >= 2.32.0, < 2.56.0 |
Related Weaknesses (CWE)
References
- https://github.com/kimai/kimai/releases/tag/2.56.0Release Notes
- https://github.com/kimai/kimai/security/advisories/GHSA-h5fh-7hwr-97mwMitigationVendor Advisory
FAQ
What is CVE-2026-44298?
CVE-2026-44298 is a vulnerability with a CVSS score of 4.1 (MEDIUM). Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can uplo...
How severe is CVE-2026-44298?
CVE-2026-44298 has been rated MEDIUM with a CVSS base score of 4.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-44298?
Check the references section above for vendor advisories and patch information. Affected products include: Kimai Kimai.