{"uuid": "fc4b4775-992c-4630-82e7-586c6e72b0cf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-VRQV-52X7-RM4V", "type": "seen", "source": "https://gist.github.com/alon710/ddc2dae3143b446acfb966905cf3bf2f", "content": "# GHSA-VRQV-52X7-RM4V: GHSA-VRQV-52X7-RM4V: Information Exposure via Unrestricted Twig config() Function in Kimai\n\n> **CVSS Score:** Not Provided\n> **Published:** 2026-05-06\n> **Full Report:** https://cvereports.com/reports/GHSA-VRQV-52X7-RM4V\n\n## Summary\nKimai versions up to 2.55.0 suffer from an information exposure vulnerability where the custom Twig `config()` function lacks sufficient sandbox restrictions. This flaw allows users with template upload privileges to extract sensitive server-wide configuration values, such as LDAP credentials and SAML private keys, by rendering them into exported invoices or documents.\n\n## TL;DR\nThe Twig `config()` function in Kimai failed to restrict access to sensitive configuration keys within sandboxed templates. Highly privileged users could exploit this to leak server secrets (LDAP/SAML) into rendered PDFs or HTML exports. The issue is resolved in version 2.56.0.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-200\n- **Attack Vector**: Application UI (Template Upload)\n- **Impact**: Confidentiality (Secret Leakage)\n- **Privileges Required**: High (ROLE_SUPER_ADMIN or upload_invoice_template)\n- **Exploit Status**: Proof of Concept Known\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Kimai (Self-Hosted)\n- **Kimai**: <= 2.55.0 (Fixed in: `2.56.0`)\n\n## Mitigation\n\n- Upgrade Kimai application to a patched release.\n- Restrict the `upload_invoice_template` permission strictly to trusted administrators.\n- Audit custom invoice templates for suspicious Twig function calls.\n\n**Remediation Steps:**\n1. Review the current installed version of Kimai.\n2. Schedule a maintenance window and back up the database and files.\n3. Update Kimai to version 2.56.0 or higher following the official documentation.\n4. Review user permissions and ensure only the System-Admin role has template management capabilities.\n5. Inspect existing custom templates under 'System -> Invoices -> Templates' for unauthorized `config()` usage.\n\n## References\n\n- [GitHub Advisory: GHSA-VRQV-52X7-RM4V](https://github.com/advisories/GHSA-VRQV-52X7-RM4V)\n- [Kimai Official Advisory](https://www.kimai.org/en/security/ghsa-vrqv-52x7-rm4v)\n- [Kimai Security Documentation](https://www.kimai.org/documentation/bughunter.html)\n- [Patch Diff](https://github.com/kimai/kimai/pull/5923.diff)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-VRQV-52X7-RM4V) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-06T19:10:29.000000Z"}