GHSA-3JP4-MHH4-GCGR

Vulnerability from github – Published: 2026-04-14 01:06 – Updated: 2026-04-14 01:06
VLAI?
Summary
Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS Handler
Details

Summary

The SAML authentication success handler in Kimai returns the RelayState POST parameter as a redirect destination without validating the host or scheme. After a user successfully authenticates via SAML, they are redirected to an attacker-controlled URL if the IdP includes a malicious RelayState value. This enables phishing attacks that steal credentials or session tokens post-SSO.

Requires SAML to be enabled (non-default configuration).

Details

Vulnerable file: src/Saml/Security/SamlAuthenticationSuccessHandler.php

// Line 27-33
$relayState = $request->request->get('RelayState', $request->query->get('RelayState'));
if (\is_scalar($relayState)) {
    $relayState = (string) $relayState;
    if ($relayState !== $this->httpUtils->generateUri($request, (string) $this->options['login_path'])) {
        return $relayState;  // No host/scheme validation — any URL accepted
    }
}

The only check is that RelayState does not equal the configured login_path. Any external URL (e.g., https://attacker.com) passes this check and is returned as the redirect destination.

The existing unit test SamlAuthenticationSuccessHandlerTest::testRelayState() confirms this behavior — an absolute URL in RelayState results in a redirect to that URL with no restriction.

Steps to Reproduce

1. Enable SAML authentication in Kimai
2. Configure a SAML IdP (e.g., SimpleSAMLphp)
3. Initiate IdP-initiated SSO with RelayState=https://attacker.com
   — or intercept the ACS POST and modify RelayState to https://attacker.com
4. Complete SAML authentication at the IdP
5. Observe: after the SAMLResponse POST to /saml/acs, Kimai issues:
   HTTP/1.1 302 Found
   Location: https://attacker.com

Code-confirmed via unit test (testRelayState): onAuthenticationSuccess with RelayState=http://localhost/relayed redirects directly to that URL. External URLs follow the same code path.

Impact

While this bug exists it has low practical possibilities and the attacker needs to be able to create a SAML request, meaning either admin access to an IdP supporting such an action OR access to the private SAML keys / certificates.

In other words: only exploitable in IdP-initiated SSO flows where the IdP includes a RelayState value supplied by the attacker (e.g., via a malicious link to the IdP).

Fix

The RelayState is validated before redirecting, see #5878

  • It may not contain a host or port and cannot start with //.
  • If it contains a host, it must match the current host.
Severity ?
0.0 (None)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.52.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "kimai/kimai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.53.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T01:06:06Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\n\nThe SAML authentication success handler in Kimai returns the `RelayState` POST parameter as a redirect destination without validating the host or scheme. After a user successfully authenticates via SAML, they are redirected to an attacker-controlled URL if the IdP includes a malicious `RelayState` value. This enables phishing attacks that steal credentials or session tokens post-SSO.\n\n*Requires SAML to be enabled (non-default configuration).*\n\n### Details\n\nVulnerable file: `src/Saml/Security/SamlAuthenticationSuccessHandler.php`\n\n```php\n// Line 27-33\n$relayState = $request-\u003erequest-\u003eget(\u0027RelayState\u0027, $request-\u003equery-\u003eget(\u0027RelayState\u0027));\nif (\\is_scalar($relayState)) {\n    $relayState = (string) $relayState;\n    if ($relayState !== $this-\u003ehttpUtils-\u003egenerateUri($request, (string) $this-\u003eoptions[\u0027login_path\u0027])) {\n        return $relayState;  // No host/scheme validation \u2014 any URL accepted\n    }\n}\n```\n\nThe only check is that `RelayState` does not equal the configured `login_path`. Any external URL (e.g., `https://attacker.com`) passes this check and is returned as the redirect destination.\n\nThe existing unit test `SamlAuthenticationSuccessHandlerTest::testRelayState()` confirms this behavior \u2014 an absolute URL in `RelayState` results in a redirect to that URL with no restriction.\n\n### Steps to Reproduce\n\n```\n1. Enable SAML authentication in Kimai\n2. Configure a SAML IdP (e.g., SimpleSAMLphp)\n3. Initiate IdP-initiated SSO with RelayState=https://attacker.com\n   \u2014 or intercept the ACS POST and modify RelayState to https://attacker.com\n4. Complete SAML authentication at the IdP\n5. Observe: after the SAMLResponse POST to /saml/acs, Kimai issues:\n   HTTP/1.1 302 Found\n   Location: https://attacker.com\n```\n\nCode-confirmed via unit test (`testRelayState`): `onAuthenticationSuccess` with `RelayState=http://localhost/relayed` redirects directly to that URL. External URLs follow the same code path.\n\n### Impact\n\nWhile this bug exists it has low practical possibilities and the attacker needs to be able to create a SAML request, meaning either admin access to an IdP supporting such an action OR access to the private SAML keys / certificates.\n\nIn other words: only exploitable in IdP-initiated SSO flows where the IdP includes a `RelayState` value supplied by the attacker (e.g., via a malicious link to the IdP).\n\n### Fix\n\nThe `RelayState` is validated before redirecting, see #5878\n\n- It may not contain a host or port and cannot start with `//`. \n- If it contains a host, it must match the current host.",
  "id": "GHSA-3jp4-mhh4-gcgr",
  "modified": "2026-04-14T01:06:06Z",
  "published": "2026-04-14T01:06:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-3jp4-mhh4-gcgr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/pull/5878"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kimai/kimai"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS Handler"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.