GHSA-VRQV-52X7-RM4V

Vulnerability from github – Published: 2026-05-06 18:42 – Updated: 2026-05-06 18:42
VLAI?
Summary
Kimai's Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice/export templates
Details

Summary

Kimai's Twig sandbox (StrictPolicy, used for admin-uploaded invoice and export templates) allow-lists the config() Twig function with no key filtering. config(name) delegates to App\Configuration\SystemConfiguration::find($name), which returns arbitrary entries from the flattened kimai.config container parameter built in App\DependencyInjection\AppExtension::loadInternal(). Any admin who can upload a Twig template can therefore render server-wide secrets - the LDAP bind password, the SAML SP private key, and any other dotted configuration key populated from kimai.yaml - into the invoice or export output, which is then delivered to whoever generates an invoice or export from that template (including lower-privileged users such as teamleads with invoice permissions). This is a second, uncovered class of the same defense-in-depth issue patched in GHSA-rh42-6rj2-xwmc: the previous fix added a User-method blocklist but left the config() function unrestricted.

Details

src/Twig/SecurityPolicy/StrictPolicy.php:40-55 explicitly allow-lists 'config':

private array $allowedFunctions = [
    'max', 'min', 'range', 'constant', 'cycle', 'random', 'date',
    't',
    'encore_entry_css_source', 'encore_entry_link_tags', 'encore_entry_script_tags',
    'is_granted',
    'qr_code_data_uri',
    'config',                       // <-- sink, no key filter
    'create_date', 'month_names', 'locale_format',
    'class_name'
];

src/Twig/Configuration.php:22-45 is the Twig function implementation:

public function getFunctions(): array
{
    return [new TwigFunction('config', [$this, 'get'])];
}

public function get(string $name)
{
    switch ($name) {
        case 'chart-class':                     return '';
        case 'theme.chart.background_color':    return '#3c8dbc';
        // ... 4 more theme constants
    }
    return $this->configuration->find($name);   // <-- arbitrary key lookup
}

App\Configuration\SystemConfiguration::find() at src/Configuration/SystemConfiguration.php:54-62 is a direct dictionary lookup. The dictionary $this->settings is initialised from the kimai.config container parameter, which the AppExtension flattens from kimai.yaml into dotted-notation keys.


The LDAP and SAML schemas declared in `src/DependencyInjection/Configuration.php` define secret-valued scalar nodes that survive the flattening and become reachable keys:

```php
// getLdapNode()
->arrayNode('connection')
    ->children()
        ->scalarNode('host')->defaultNull()->end()
        ->scalarNode('username')->end()
        ->scalarNode('password')->end()       // -> settings['ldap.connection.password']
        ...

// getSamlNode()
->arrayNode('sp')
    ->children()
        ->scalarNode('x509cert')->end()
        ->scalarNode('privateKey')->end()     // -> settings['saml.connection.sp.privateKey']
        ...

The invoice and export renderers both enable the sandbox against StrictPolicy and pass the shared Twig environment - the one with the config function registered - into sandboxed rendering: src/Invoice/Renderer/AbstractTwigRenderer.php:66-74 and src/Export/Base/{PDFRenderer,HtmlRenderer}.php. An admin who uploads a malicious invoice or export template therefore gets an unrestricted read primitive against kimai.config.

In a real deployment the attacker template is uploaded through the admin UI (ROLE_SUPER_ADMIN, permission upload_invoice_template), saved by src/Invoice/InvoiceTemplate* and later rendered by whoever generates an invoice or export for that template. The rendering user is typically a teamlead or admin with invoice permission (INVOICE permission set: ['view_invoice','create_invoice','manage_invoice_template'], granted to ROLE_ADMIN and ROLE_TEAMLEAD in config/packages/kimai.yaml). The rendered output is returned as the invoice PDF/HTML or as a CSV/XLSX export, so the secrets land in a document that is routinely downloaded and emailed.

Impact

Any Kimai deployment that (a) has SAML or LDAP configured in kimai.yaml, and (b) has at least one user (other than the current SUPER_ADMIN) who will render a template-based invoice or export in the future, is affected. A malicious or compromised SUPER_ADMIN can upload a template once, leave, and subsequent invoice or export generations by teamleads or other admins silently exfiltrate ldap.connection.password, saml.connection.sp.privateKey, saml.connection.sp.x509cert, and any other dotted configuration key into an attacker-readable artifact. The LDAP bind password gives domain-credential access to the company directory and often to every downstream system that trusts the same directory; the SAML SP private key allows an attacker to forge signed SAML assertions to any service provider that trusts the same key pair. This is the same class of defense-in-depth leak that GHSA-rh42-6rj2-xwmc patched for user-level secrets, at a broader impact because the keys leaked here are system-wide rather than per-user, and the current StrictPolicy does not intercept the config() call path.

Solution

The config() function was patched to only return a pre-configured list of settings in sandboxed mode.

Additional checks were added to prevent access to configs that start with saml. or ldap..

Kimai will not issue a CVE, because this requires a SUPER_ADMIN account and it only affects system with activated LDAP or SAML, which also uses the invoice system.

Severity ?
5.0 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.55.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "kimai/kimai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.56.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T18:42:30Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nKimai\u0027s Twig sandbox (`StrictPolicy`, used for admin-uploaded invoice and export templates) allow-lists the `config()` Twig function with no key filtering. `config(name)` delegates to `App\\Configuration\\SystemConfiguration::find($name)`, which returns arbitrary entries from the flattened `kimai.config` container parameter built in `App\\DependencyInjection\\AppExtension::loadInternal()`. Any admin who can upload a Twig template can therefore render server-wide secrets - the LDAP bind password, the SAML SP private key, and any other dotted configuration key populated from `kimai.yaml` - into the invoice or export output, which is then delivered to whoever generates an invoice or export from that template (including lower-privileged users such as teamleads with invoice permissions). This is a second, uncovered class of the same defense-in-depth issue patched in GHSA-rh42-6rj2-xwmc: the previous fix added a User-method blocklist but left the `config()` function unrestricted.\n\n### Details\n\n`src/Twig/SecurityPolicy/StrictPolicy.php:40-55` explicitly allow-lists `\u0027config\u0027`:\n\n```php\nprivate array $allowedFunctions = [\n    \u0027max\u0027, \u0027min\u0027, \u0027range\u0027, \u0027constant\u0027, \u0027cycle\u0027, \u0027random\u0027, \u0027date\u0027,\n    \u0027t\u0027,\n    \u0027encore_entry_css_source\u0027, \u0027encore_entry_link_tags\u0027, \u0027encore_entry_script_tags\u0027,\n    \u0027is_granted\u0027,\n    \u0027qr_code_data_uri\u0027,\n    \u0027config\u0027,                       // \u003c-- sink, no key filter\n    \u0027create_date\u0027, \u0027month_names\u0027, \u0027locale_format\u0027,\n    \u0027class_name\u0027\n];\n```\n\n`src/Twig/Configuration.php:22-45` is the Twig function implementation:\n\n```php\npublic function getFunctions(): array\n{\n    return [new TwigFunction(\u0027config\u0027, [$this, \u0027get\u0027])];\n}\n\npublic function get(string $name)\n{\n    switch ($name) {\n        case \u0027chart-class\u0027:                     return \u0027\u0027;\n        case \u0027theme.chart.background_color\u0027:    return \u0027#3c8dbc\u0027;\n        // ... 4 more theme constants\n    }\n    return $this-\u003econfiguration-\u003efind($name);   // \u003c-- arbitrary key lookup\n}\n```\n\n`App\\Configuration\\SystemConfiguration::find()` at `src/Configuration/SystemConfiguration.php:54-62` is a direct dictionary lookup. The dictionary `$this-\u003esettings` is initialised from the `kimai.config` container parameter, which the `AppExtension` flattens from `kimai.yaml` into dotted-notation keys.\n```\n\nThe LDAP and SAML schemas declared in `src/DependencyInjection/Configuration.php` define secret-valued scalar nodes that survive the flattening and become reachable keys:\n\n```php\n// getLdapNode()\n-\u003earrayNode(\u0027connection\u0027)\n    -\u003echildren()\n        -\u003escalarNode(\u0027host\u0027)-\u003edefaultNull()-\u003eend()\n        -\u003escalarNode(\u0027username\u0027)-\u003eend()\n        -\u003escalarNode(\u0027password\u0027)-\u003eend()       // -\u003e settings[\u0027ldap.connection.password\u0027]\n        ...\n\n// getSamlNode()\n-\u003earrayNode(\u0027sp\u0027)\n    -\u003echildren()\n        -\u003escalarNode(\u0027x509cert\u0027)-\u003eend()\n        -\u003escalarNode(\u0027privateKey\u0027)-\u003eend()     // -\u003e settings[\u0027saml.connection.sp.privateKey\u0027]\n        ...\n```\n\nThe invoice and export renderers both enable the sandbox against `StrictPolicy` and pass the shared Twig environment - the one with the `config` function registered - into sandboxed rendering: `src/Invoice/Renderer/AbstractTwigRenderer.php:66-74` and `src/Export/Base/{PDFRenderer,HtmlRenderer}.php`. An admin who uploads a malicious invoice or export template therefore gets an unrestricted read primitive against `kimai.config`.\n\nIn a real deployment the attacker template is uploaded through the admin UI (ROLE_SUPER_ADMIN, permission `upload_invoice_template`), saved by `src/Invoice/InvoiceTemplate*` and later rendered by whoever generates an invoice or export for that template. The rendering user is typically a teamlead or admin with invoice permission (`INVOICE` permission set: `[\u0027view_invoice\u0027,\u0027create_invoice\u0027,\u0027manage_invoice_template\u0027]`, granted to ROLE_ADMIN and ROLE_TEAMLEAD in `config/packages/kimai.yaml`). The rendered output is returned as the invoice PDF/HTML or as a CSV/XLSX export, so the secrets land in a document that is routinely downloaded and emailed.\n\n### Impact\n\nAny Kimai deployment that (a) has SAML or LDAP configured in `kimai.yaml`, and (b) has at least one user (other than the current SUPER_ADMIN) who will render a template-based invoice or export in the future, is affected. A malicious or compromised SUPER_ADMIN can upload a template once, leave, and subsequent invoice or export generations by teamleads or other admins silently exfiltrate `ldap.connection.password`, `saml.connection.sp.privateKey`, `saml.connection.sp.x509cert`, and any other dotted configuration key into an attacker-readable artifact. The LDAP bind password gives domain-credential access to the company directory and often to every downstream system that trusts the same directory; the SAML SP private key allows an attacker to forge signed SAML assertions to any service provider that trusts the same key pair. This is the same class of defense-in-depth leak that GHSA-rh42-6rj2-xwmc patched for user-level secrets, at a broader impact because the keys leaked here are system-wide rather than per-user, and the current StrictPolicy does not intercept the `config()` call path. \n\n### Solution\n\nThe `config()` function was patched to only return a pre-configured list of settings in sandboxed mode. \n\nAdditional checks were added to prevent access to configs that start with `saml.` or `ldap.`.\n\nKimai will not issue a CVE, because this requires a SUPER_ADMIN account and it only affects system with activated LDAP or SAML, which also uses the invoice system.",
  "id": "GHSA-vrqv-52x7-rm4v",
  "modified": "2026-05-06T18:42:30Z",
  "published": "2026-05-06T18:42:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-vrqv-52x7-rm4v"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kimai/kimai"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kimai\u0027s Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice/export templates"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.