Skip to main content

Kimai CVE-2026-52824

CRITICAL
Initialization of a Resource with an Insecure Default (CWE-1188)
2026-07-14 https://github.com/kimai/kimai GHSA-jr9p-4h4j-6c58
Share

Severity by source

vuln.today AI
8.1 HIGH

Remote unauthenticated (AV:N/PR:N/UI:N) but AC:H due to required username knowledge, account-ID guessing, absence of 2FA and the default-secret condition; full account takeover gives C:H/I:H/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 14, 2026 - 00:32 vuln.today
Analysis Generated
Jul 14, 2026 - 00:32 vuln.today
CVE Published
Jul 14, 2026 - 00:07 cve.org
CRITICAL

DescriptionCVE.org

Summary

The official Kimai Docker image ships with APP_SECRET=change_this_to_something_unique as the default environment variable. The Docker entrypoint does not override or validate this value. Any Kimai instance deployed using the Docker image without explicitly setting APP_SECRET runs with a publicly-known Symfony kernel.secret, enabling an unauthenticated attacker to forge HMAC-signed cookies and login links to take over any account including super_admin.

Details

Dockerfile:263 sets ENV APP_SECRET=change_this_to_something_unique. This value is consumed by config/packages/framework.yaml:7 as kernel.secret, which Symfony uses to HMAC-sign:

  • The KIMAI_REMEMBER remember-me cookie
  • LoginLink signatures
  • Password reset URLs
  • CSRF tokens

The .docker/entrypoint.sh does not check for or replace the default sentinel value. The bare-metal .env.dist:38 ships the same default. No startup-time guard exists anywhere in the codebase that refuses to start when APP_SECRET equals the sentinel.

User IDs are sequential integers starting from 1. The first super_admin account is almost always id=1. User IDs are visible in some URLs and API responses.

*A PoC was provided, but removed for security reasons.*

Impact

Any Kimai instance deployed via the official Docker image without overriding APP_SECRET can be compromised from the internet. An unauthenticated attacker who can reach the Kimai URL can forge authentication tokens and log in as any user if:

  • a username is known AND
  • the correct account ID for this username is guessed AND
  • the account has no active 2FA (two factor) authentication

Solution

  • The entrypoint.sh file is updated and now contains a script that generates a random APP_SECRET via bin2hex(random_bytes(32)) which will be stored in /opt/kimai/var/data/.appsecret
  • The entrypoint.sh will create the file /opt/kimai/.env.local containing the APP_SECRET, either fetched from the Docker Environment or from the newly created secret file
  • The documentation was updated to highlight the importance of using a random secret for APP_SECRET
  • The Dockerfile removed default APP_SECRET=change_this_to_something_unique
  • Login links now contain more entropy (see GHSA-m492-gv72-xvxj) - so even without all previous changes, attackers won't be able to generate Login links even for installations that have a hard-coded APP_SECRET=change_this_to_something_unique

See https://www.kimai.org/en/security/ghsa-jr9p-4h4j-6c58 for more information.

AnalysisAI

Account takeover in Kimai (<= 2.57.0) stems from the official Docker image shipping a hard-coded default APP_SECRET ('change_this_to_something_unique') that Symfony consumes as kernel.secret. Because this HMAC signing key is publicly known and the entrypoint never rotates or validates it, a remote unauthenticated attacker can forge remember-me cookies, LoginLink signatures, password-reset URLs and CSRF tokens to log in as any user, including the id=1 super_admin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach internet-facing Kimai URL
Delivery
Enumerate username and guess sequential account ID
Exploit
Forge HMAC token with known default APP_SECRET
Execution
Present forged remember-me cookie or login link
Impact
Authenticate as super_admin (id=1) and take over account

Vulnerability AssessmentAI

Exploitation Exploitation requires that the Kimai instance was deployed from the official Docker image (or bare-metal .env.dist) WITHOUT overriding the APP_SECRET environment variable, so it runs with the publicly-known sentinel 'change_this_to_something_unique' as Symfony's kernel.secret, and that the instance is network-reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS, EPSS, KEV or SSVC data was supplied, so real-world risk is inferred from the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reaches an internet-exposed Kimai instance running the default Docker image, notes that user IDs are sequential and super_admin is typically id=1, and learns or guesses a valid username. Using the publicly-known default APP_SECRET as the Symfony signing key, they forge a valid KIMAI_REMEMBER cookie or login link offline and present it to authenticate as super_admin. …
Remediation Vendor-released patch: upgrade to Kimai 2.58.0 or later, in which the Dockerfile no longer sets a default APP_SECRET, the entrypoint.sh generates a random secret via bin2hex(random_bytes(32)) stored at /opt/kimai/var/data/.appsecret and written into /opt/kimai/.env.local, and login links carry extra entropy (GHSA-m492-gv72-xvxj) so forgery fails even on instances still using the sentinel. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Kimai deployments using Docker and immediately isolate or halt affected instances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-52824 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy