Critical Alert 1 Active Exploit Detected Today

CVE-2008-4128 Cisco IOS Cross-Site Request Forgery Vulnerability →
Powered by CVE Watchtower
×

CVE Watchtower


← Back to CVE List

CVE-2026-52824NVD

Vulnerability Summary

### Summary

The official Kimai Docker image ships with `APP_SECRET=change_this_to_something_unique` as the default environment variable. The Docker entrypoint does not override or validate this value. Any Kimai instance deployed using the Docker image without explicitly setting `APP_SECRET` runs with a publicly-known Symfony `kernel.secret`, enabling an unauthenticated attacker to forge HMAC-signed cookies and login links to take over any account including super_admin.

### Details

`Dockerfile:263` sets `ENV APP_SECRET=change_this_to_something_unique`. This value is consumed by `config/packages/framework.yaml:7` as `kernel.secret`, which Symfony uses to HMAC-sign:

- The `KIMAI_REMEMBER` remember-me cookie
- LoginLink signatures
- Password reset URLs
- CSRF tokens

The `.docker/entrypoint.sh` does not check for or replace the default sentinel value. The bare-metal `.env.dist:38` ships the same default. No startup-time guard exists anywhere in the codebase that refuses to start when `APP_SECRET` equals the sentinel.

User IDs are sequential integers starting from 1. The first super_admin account is almost always `id=1`. User IDs are visible in some URLs and API responses.

*A PoC was provided, but removed for security reasons.*

### Impact

Any Kimai instance deployed via the official Docker image without overriding `APP_SECRET` can be compromised from the internet. An unauthenticated attacker who can reach the Kimai URL can forge authentication tokens and log in as any user if:
- a username is known AND
- the correct account ID for this username is guessed AND
- the account has no active 2FA (two factor) authentication

## Solution

- The entrypoint.sh file is updated and now contains a script that generates a random `APP_SECRET` via `bin2hex(random_bytes(32))` which will be stored in `/opt/kimai/var/data/.appsecret`
- The entrypoint.sh will create the file `/opt/kimai/.env.local` containing the `APP_SECRET`, either fetched from the Docker Environment or from the newly created secret file
- The documentation was updated to highlight the importance of using a random secret for `APP_SECRET`
- The Dockerfile removed default `APP_SECRET=change_this_to_something_unique`
- Login links now contain more entropy (see GHSA-m492-gv72-xvxj) - so even without all previous changes, attackers won't be able to generate Login links even for installations that have a hard-coded `APP_SECRET=change_this_to_something_unique`

See [https://www.kimai.org/en/security/ghsa-jr9p-4h4j-6c58](https://www.kimai.org/en/security/ghsa-jr9p-4h4j-6c58) for more information.
Severity Level
CRITICAL
Published Date
Jul 14, 2026
Last Modified
Jul 14, 2026
Exploitation Status
No confirmed exploitation yet
EPSS Score (30-Day)
Data Pending
Root Weakness (CWE)
N/A

External References