Kimai CVE-2026-52824
CRITICALSeverity by source
Remote unauthenticated (AV:N/PR:N/UI:N) but AC:H due to required username knowledge, account-ID guessing, absence of 2FA and the default-secret condition; full account takeover gives C:H/I:H/A:H.
Lifecycle Timeline
3DescriptionCVE.org
Summary
The official Kimai Docker image ships with APP_SECRET=change_this_to_something_unique as the default environment variable. The Docker entrypoint does not override or validate this value. Any Kimai instance deployed using the Docker image without explicitly setting APP_SECRET runs with a publicly-known Symfony kernel.secret, enabling an unauthenticated attacker to forge HMAC-signed cookies and login links to take over any account including super_admin.
Details
Dockerfile:263 sets ENV APP_SECRET=change_this_to_something_unique. This value is consumed by config/packages/framework.yaml:7 as kernel.secret, which Symfony uses to HMAC-sign:
- The
KIMAI_REMEMBERremember-me cookie - LoginLink signatures
- Password reset URLs
- CSRF tokens
The .docker/entrypoint.sh does not check for or replace the default sentinel value. The bare-metal .env.dist:38 ships the same default. No startup-time guard exists anywhere in the codebase that refuses to start when APP_SECRET equals the sentinel.
User IDs are sequential integers starting from 1. The first super_admin account is almost always id=1. User IDs are visible in some URLs and API responses.
*A PoC was provided, but removed for security reasons.*
Impact
Any Kimai instance deployed via the official Docker image without overriding APP_SECRET can be compromised from the internet. An unauthenticated attacker who can reach the Kimai URL can forge authentication tokens and log in as any user if:
- a username is known AND
- the correct account ID for this username is guessed AND
- the account has no active 2FA (two factor) authentication
Solution
- The entrypoint.sh file is updated and now contains a script that generates a random
APP_SECRETviabin2hex(random_bytes(32))which will be stored in/opt/kimai/var/data/.appsecret - The entrypoint.sh will create the file
/opt/kimai/.env.localcontaining theAPP_SECRET, either fetched from the Docker Environment or from the newly created secret file - The documentation was updated to highlight the importance of using a random secret for
APP_SECRET - The Dockerfile removed default
APP_SECRET=change_this_to_something_unique - Login links now contain more entropy (see GHSA-m492-gv72-xvxj) - so even without all previous changes, attackers won't be able to generate Login links even for installations that have a hard-coded
APP_SECRET=change_this_to_something_unique
See https://www.kimai.org/en/security/ghsa-jr9p-4h4j-6c58 for more information.
Articles & Coverage 1
AnalysisAI
Account takeover in Kimai (<= 2.57.0) stems from the official Docker image shipping a hard-coded default APP_SECRET ('change_this_to_something_unique') that Symfony consumes as kernel.secret. Because this HMAC signing key is publicly known and the entrypoint never rotates or validates it, a remote unauthenticated attacker can forge remember-me cookies, LoginLink signatures, password-reset URLs and CSRF tokens to log in as any user, including the id=1 super_admin. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the Kimai instance was deployed from the official Docker image (or bare-metal .env.dist) WITHOUT overriding the APP_SECRET environment variable, so it runs with the publicly-known sentinel 'change_this_to_something_unique' as Symfony's kernel.secret, and that the instance is network-reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS, EPSS, KEV or SSVC data was supplied, so real-world risk is inferred from the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker reaches an internet-exposed Kimai instance running the default Docker image, notes that user IDs are sequential and super_admin is typically id=1, and learns or guesses a valid username. Using the publicly-known default APP_SECRET as the Symfony signing key, they forge a valid KIMAI_REMEMBER cookie or login link offline and present it to authenticate as super_admin. … |
| Remediation | Vendor-released patch: upgrade to Kimai 2.58.0 or later, in which the Dockerfile no longer sets a default APP_SECRET, the entrypoint.sh generates a random secret via bin2hex(random_bytes(32)) stored at /opt/kimai/var/data/.appsecret and written into /opt/kimai/.env.local, and login links carry extra entropy (GHSA-m492-gv72-xvxj) so forgery fails even on instances still using the sentinel. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all Kimai deployments using Docker and immediately isolate or halt affected instances. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-jr9p-4h4j-6c58