Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.0
Kimai Leaks API Token Hash in Invoice Templates
GHSA-rh42-6rj2-xwmc
Summary
Sensitive API token hashes may be exposed in invoice templates created by admins on OnPremise installations with template upload enabled. This allows an attacker to obtain hashed API passwords of users who use those templates to generate invoices. To fix this, update your Kimai installation to the latest version.
What to do
- Update kimai kimai/kimai to version 2.53.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Packagist | kimai | kimai/kimai |
< 2.53.0 Fix: upgrade to 2.53.0
|
Original title
Kimai leaks API Token Hash via Invoice Twig Template
Original description
## Summary
The Twig sandbox used for invoice templates blocks certain sensitive `User` methods (password, TOTP secret, etc.) via a blocklist in `StrictPolicy::checkMethodAllowed()`. However, `getApiToken()` and `getPlainApiToken()` are not on the blocklist. An admin who creates an invoice template can embed calls to these methods, causing the bcrypt or sodium hashed API password of any user who generates an invoice using that template to be included in the rendered output.
Only relevant for OnPremise installations with template upload activated.
## Background
Kimai allows admins (`ROLE_ADMIN` and above) with the `manage_invoice_template` permission to create Twig-based invoice templates. These templates are rendered in a sandboxed Twig environment with `StrictPolicy` controlling which methods and properties are accessible.
`StrictPolicy` explicitly blocks:
```php
// src/Twig/SecurityPolicy/StrictPolicy.php:156
if (\in_array($lcm, [
'getpassword',
'gettotpsecret',
'getplainpassword',
'getconfirmationtoken',
'gettotpauthenticationconfiguration'
], true)) {
throw new SecurityNotAllowedMethodError(...);
}
```
`getApiToken()` and `getPlainApiToken()` are **not** in this list and are freely callable.
## Vulnerable Code
`StrictPolicy.php` — missing entries in the User method blocklist:
```php
// Current
['getpassword', 'gettotpsecret', 'getplainpassword', 'getconfirmationtoken', 'gettotpauthenticationconfiguration']
// Should also include:
'getapitoken', 'getplainapitoken'
```
The invoice model passes a `User` object through `model.user`, accessible in any twig invoice template.
## Steps to Reproduce
1. Log in as an admin with the `manage_invoice_template` permission.
2. Create a new Twig invoice template (HTML or PDF) containing:
```twig
API Token: {{ model.user.getApiToken() }}
Plain Token: {{ model.user.getPlainApiToken() }}
```
3. Save the template and set it as the default for a customer.
4. Log in as a regular user assigned to that customer and generate an invoice.
5. Observe that the rendered invoice contains the user's API token in plaintext.
## Impact
An admin can silently embed token-exfiltration code in a shared invoice template. Every user who subsequently generates an invoice using that template will have their hashed API token leaked into the invoice output.
- API passwords are [deprecated since April 2024](https://www.kimai.org/en/changelog/2024/cloud-update-104) and not in wide use anymore (especially by new users)
- The function `getPlainApiToken()` does NEVER return any data
- The function `getApiToken()` might return a bcrypt or sodium hashed API password, if the user (who created the invoice) has configured one - this cannot be used, but needs to be cracked using rainbow tables
- The cloud does not allow Twig template upload, this is only relevant for OnPremise installations with template upload activated
## Fix
The SecurityPolicy was changed to exclude methods that contains certain trigger words instead of using the hard-coded list, see https://github.com/kimai/kimai/pull/5878
This disables access to both the `getApiToken()` and `getPlainApiToken()` function.
The Twig sandbox used for invoice templates blocks certain sensitive `User` methods (password, TOTP secret, etc.) via a blocklist in `StrictPolicy::checkMethodAllowed()`. However, `getApiToken()` and `getPlainApiToken()` are not on the blocklist. An admin who creates an invoice template can embed calls to these methods, causing the bcrypt or sodium hashed API password of any user who generates an invoice using that template to be included in the rendered output.
Only relevant for OnPremise installations with template upload activated.
## Background
Kimai allows admins (`ROLE_ADMIN` and above) with the `manage_invoice_template` permission to create Twig-based invoice templates. These templates are rendered in a sandboxed Twig environment with `StrictPolicy` controlling which methods and properties are accessible.
`StrictPolicy` explicitly blocks:
```php
// src/Twig/SecurityPolicy/StrictPolicy.php:156
if (\in_array($lcm, [
'getpassword',
'gettotpsecret',
'getplainpassword',
'getconfirmationtoken',
'gettotpauthenticationconfiguration'
], true)) {
throw new SecurityNotAllowedMethodError(...);
}
```
`getApiToken()` and `getPlainApiToken()` are **not** in this list and are freely callable.
## Vulnerable Code
`StrictPolicy.php` — missing entries in the User method blocklist:
```php
// Current
['getpassword', 'gettotpsecret', 'getplainpassword', 'getconfirmationtoken', 'gettotpauthenticationconfiguration']
// Should also include:
'getapitoken', 'getplainapitoken'
```
The invoice model passes a `User` object through `model.user`, accessible in any twig invoice template.
## Steps to Reproduce
1. Log in as an admin with the `manage_invoice_template` permission.
2. Create a new Twig invoice template (HTML or PDF) containing:
```twig
API Token: {{ model.user.getApiToken() }}
Plain Token: {{ model.user.getPlainApiToken() }}
```
3. Save the template and set it as the default for a customer.
4. Log in as a regular user assigned to that customer and generate an invoice.
5. Observe that the rendered invoice contains the user's API token in plaintext.
## Impact
An admin can silently embed token-exfiltration code in a shared invoice template. Every user who subsequently generates an invoice using that template will have their hashed API token leaked into the invoice output.
- API passwords are [deprecated since April 2024](https://www.kimai.org/en/changelog/2024/cloud-update-104) and not in wide use anymore (especially by new users)
- The function `getPlainApiToken()` does NEVER return any data
- The function `getApiToken()` might return a bcrypt or sodium hashed API password, if the user (who created the invoice) has configured one - this cannot be used, but needs to be cracked using rainbow tables
- The cloud does not allow Twig template upload, this is only relevant for OnPremise installations with template upload activated
## Fix
The SecurityPolicy was changed to exclude methods that contains certain trigger words instead of using the hard-coded list, see https://github.com/kimai/kimai/pull/5878
This disables access to both the `getApiToken()` and `getPlainApiToken()` function.
osv CVSS3.1
2.0
Vulnerability type
CWE-184
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026