GHSA-RH42-6RJ2-XWMC

Vulnerability from github – Published: 2026-04-14 01:06 – Updated: 2026-04-14 01:06
VLAI?
Summary
Kimai leaks API Token Hash via Invoice Twig Template
Details

Summary

The Twig sandbox used for invoice templates blocks certain sensitive User methods (password, TOTP secret, etc.) via a blocklist in StrictPolicy::checkMethodAllowed(). However, getApiToken() and getPlainApiToken() are not on the blocklist. An admin who creates an invoice template can embed calls to these methods, causing the bcrypt or sodium hashed API password of any user who generates an invoice using that template to be included in the rendered output.

Only relevant for OnPremise installations with template upload activated.

Background

Kimai allows admins (ROLE_ADMIN and above) with the manage_invoice_template permission to create Twig-based invoice templates. These templates are rendered in a sandboxed Twig environment with StrictPolicy controlling which methods and properties are accessible.

StrictPolicy explicitly blocks:

// src/Twig/SecurityPolicy/StrictPolicy.php:156
if (\in_array($lcm, [
    'getpassword',
    'gettotpsecret',
    'getplainpassword',
    'getconfirmationtoken',
    'gettotpauthenticationconfiguration'
], true)) {
    throw new SecurityNotAllowedMethodError(...);
}

getApiToken() and getPlainApiToken() are not in this list and are freely callable.

Vulnerable Code

StrictPolicy.php — missing entries in the User method blocklist:

// Current
['getpassword', 'gettotpsecret', 'getplainpassword', 'getconfirmationtoken', 'gettotpauthenticationconfiguration']

// Should also include:
'getapitoken', 'getplainapitoken'

The invoice model passes a User object through model.user, accessible in any twig invoice template.

Steps to Reproduce

  1. Log in as an admin with the manage_invoice_template permission.
  2. Create a new Twig invoice template (HTML or PDF) containing:
API Token: {{ model.user.getApiToken() }}
Plain Token: {{ model.user.getPlainApiToken() }}
  1. Save the template and set it as the default for a customer.
  2. Log in as a regular user assigned to that customer and generate an invoice.
  3. Observe that the rendered invoice contains the user's API token in plaintext.

Impact

An admin can silently embed token-exfiltration code in a shared invoice template. Every user who subsequently generates an invoice using that template will have their hashed API token leaked into the invoice output.

  • API passwords are deprecated since April 2024 and not in wide use anymore (especially by new users)
  • The function getPlainApiToken() does NEVER return any data
  • The function getApiToken() might return a bcrypt or sodium hashed API password, if the user (who created the invoice) has configured one - this cannot be used, but needs to be cracked using rainbow tables
  • The cloud does not allow Twig template upload, this is only relevant for OnPremise installations with template upload activated

Fix

The SecurityPolicy was changed to exclude methods that contains certain trigger words instead of using the hard-coded list, see https://github.com/kimai/kimai/pull/5878

This disables access to both the getApiToken() and getPlainApiToken() function.

Severity ?
2.0 (Low)
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.52.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "kimai/kimai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.53.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T01:06:25Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Summary\n\nThe Twig sandbox used for invoice templates blocks certain sensitive `User` methods (password, TOTP secret, etc.) via a blocklist in `StrictPolicy::checkMethodAllowed()`. However, `getApiToken()` and `getPlainApiToken()` are not on the blocklist. An admin who creates an invoice template can embed calls to these methods, causing the bcrypt or sodium hashed API password of any user who generates an invoice using that template to be included in the rendered output.\n\nOnly relevant for OnPremise installations with template upload activated.\n\n## Background\n\nKimai allows admins (`ROLE_ADMIN` and above) with the `manage_invoice_template` permission to create Twig-based invoice templates. These templates are rendered in a sandboxed Twig environment with `StrictPolicy` controlling which methods and properties are accessible.\n\n`StrictPolicy` explicitly blocks:\n\n```php\n// src/Twig/SecurityPolicy/StrictPolicy.php:156\nif (\\in_array($lcm, [\n    \u0027getpassword\u0027,\n    \u0027gettotpsecret\u0027,\n    \u0027getplainpassword\u0027,\n    \u0027getconfirmationtoken\u0027,\n    \u0027gettotpauthenticationconfiguration\u0027\n], true)) {\n    throw new SecurityNotAllowedMethodError(...);\n}\n```\n\n`getApiToken()` and `getPlainApiToken()` are **not** in this list and are freely callable.\n\n## Vulnerable Code\n\n`StrictPolicy.php` \u2014 missing entries in the User method blocklist:\n\n```php\n// Current\n[\u0027getpassword\u0027, \u0027gettotpsecret\u0027, \u0027getplainpassword\u0027, \u0027getconfirmationtoken\u0027, \u0027gettotpauthenticationconfiguration\u0027]\n\n// Should also include:\n\u0027getapitoken\u0027, \u0027getplainapitoken\u0027\n```\n\nThe invoice model passes a `User` object through `model.user`, accessible in any twig invoice template.\n\n## Steps to Reproduce\n\n1. Log in as an admin with the `manage_invoice_template` permission.\n2. Create a new Twig invoice template (HTML or PDF) containing:\n\n```twig\nAPI Token: {{ model.user.getApiToken() }}\nPlain Token: {{ model.user.getPlainApiToken() }}\n```\n\n3. Save the template and set it as the default for a customer.\n4. Log in as a regular user assigned to that customer and generate an invoice.\n5. Observe that the rendered invoice contains the user\u0027s API token in plaintext.\n\n## Impact\n\nAn admin can silently embed token-exfiltration code in a shared invoice template. Every user who subsequently generates an invoice using that template will have their hashed API token leaked into the invoice output. \n\n- API passwords are [deprecated since April 2024](https://www.kimai.org/en/changelog/2024/cloud-update-104) and not in wide use anymore (especially by new users)\n- The function `getPlainApiToken()` does NEVER return any data\n- The function `getApiToken()` might return a bcrypt or sodium hashed API password, if the user (who created the invoice) has configured one - this cannot be used, but needs to be cracked using rainbow tables\n- The cloud does not allow Twig template upload, this is only relevant for OnPremise installations with template upload activated\n\n## Fix\n\nThe SecurityPolicy was changed to exclude methods that contains certain trigger words instead of using the hard-coded list, see https://github.com/kimai/kimai/pull/5878 \n\nThis disables access to both the `getApiToken()` and `getPlainApiToken()` function.",
  "id": "GHSA-rh42-6rj2-xwmc",
  "modified": "2026-04-14T01:06:25Z",
  "published": "2026-04-14T01:06:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-rh42-6rj2-xwmc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/pull/5878"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kimai/kimai"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Kimai leaks API Token Hash via Invoice Twig Template"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.