Kimai CVE-2026-52827
HIGHSeverity by source
Network-reachable API replay with no user interaction; password is the attacker's own stolen input (the factor 2FA defends), so PR:N; full API read/write yields C:H/I:H, no availability impact.
Lifecycle Timeline
3DescriptionCVE.org
Summary
Two-factor authentication (TOTP) can be fully bypassed for the REST API. The KIMAI_SESSION cookie returned in the response to the login request; issued after only the password is verified, before the TOTP step; is already accepted as authenticated by every /api/* endpoint.
So after submitting just the password, the web UI correctly holds the browser at the TOTP screen (/en/auth/2fa), but the cookie from that same login response can be replayed against the API to act as the user without ever entering the second factor. This affects any account with 2FA enabled and requires only the account password.
Details
Affected Component
- The API firewall / authorization.
config/packages/security.yaml guards the API with { path: '^/api', roles: IS_AUTHENTICATED }. During 2FA the session carries a Scheb TwoFactorToken, which satisfies IS_AUTHENTICATED (it is a real, non-anonymous token). App\API\Authentication\ApiRequestMatcher returns !$request->hasPreviousSession(), so a request that carries the login session skips the stateless API firewall and is served by the main session firewall; Scheb's TwoFactorAccessDecider::isAccessible() then evaluates IS_AUTHENTICATED to true for ^/api and lets it through, and App\Voter\ApiVoter grants API to any token whose user is a User. Web routes are not affected because they require concrete roles (e.g. ROLE_USER) that a TwoFactorToken does not hold.
PoC
_A PoC was provided, but removed for security reasons._
Impact
Two-factor authentication provides no protection for the REST API. If an attacker obtains a user's password (phishing, credential stuffing, reuse, breach); exactly the threat 2FA is meant to defend against; they get full authenticated API access as that user without the second factor. The whole exploit is a single cookie taken from the login response; no API token, Bearer header or CSRF token is required.
Solution
- The
/api/firewall now usesIS_AUTHENTICATED_REMEMBEREDwhich is only assigned after 2FA. The historically usedIS_AUTHENTICATEDflag is applied immediately after login and before 2FA happened. - The APIVoter checks both
$token instanceof TwoFactorTokenInterfaceandisGranted('IS_AUTHENTICATED_2FA_IN_PROGRESS', $user)to make sure that the user is not currently in the 2FA step. - Regression tests were added to prevent future escalation of the same issue.
See https://www.kimai.org/en/security/ghsa-v8hx-4vx8-wc96 for more information.
AnalysisAI
Two-factor authentication bypass in Kimai (open-source time-tracking) before 2.59.0 lets an attacker with only a victim's password reach every authenticated REST API endpoint without completing TOTP. The KIMAI_SESSION cookie returned by the password-only login response - issued before the 2FA step - is already treated as authenticated by /api/*, so it can be replayed to act fully as the user while the browser is still pinned to the 2FA screen. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Kimai account has 2FA/TOTP enabled (otherwise there is no second factor to bypass) and that the attacker already possesses the account's valid password - the single limiting prerequisite. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score or vector was provided by the source, so attack-vector, complexity, and privilege metrics cannot be quoted from NVD and must be inferred. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains a target user's Kimai password through phishing, credential stuffing, reuse, or a breach dump, then submits only that password to the login endpoint and captures the KIMAI_SESSION cookie from the response. Instead of completing the TOTP challenge, they replay that cookie against /api/* endpoints and read or modify the victim's time-tracking data as a fully authenticated user. … |
| Remediation | Vendor-released patch: upgrade Kimai to 2.59.0 or later, which changes the /api firewall to require IS_AUTHENTICATED_REMEMBERED (only granted after 2FA) instead of IS_AUTHENTICATED, and hardens ApiVoter to reject tokens that are a TwoFactorTokenInterface or where IS_AUTHENTICATED_2FA_IN_PROGRESS holds for the user. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, disable REST API access for non-essential users in Kimai and enforce password resets across the organization to limit exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-v8hx-4vx8-wc96