Kimai REST API Two-Factor Authentication Bypass Vulnerability
A critical vulnerability, CVE-2026-52827, in Kimai versions prior to 2.59.0 allows an attacker who has compromised a user's password to bypass Two-Factor Authentication (TOTP) for the REST API by intercepting and replaying the `KIMAI_SESSION` cookie obtained after password verification but before TOTP completion, granting full authenticated API access.
A critical authentication bypass vulnerability, identified as CVE-2026-52827, affects Kimai versions prior to 2.59.0, allowing attackers to circumvent Two-Factor Authentication (TOTP) for the REST API. This flaw enables an attacker who has compromised a user's password to obtain a KIMAI_SESSION cookie during the initial login phase, even before the TOTP step is completed. By replaying this cookie against any /api/* endpoint, the attacker gains full authenticated API access as the legitimate user without ever needing to provide the second authentication factor. This vulnerability effectively nullifies 2FA protection for Kimai's API, exposing affected instances to unauthorized data access and manipulation.
Attack Chain
- An attacker obtains a user's password for a Kimai instance through various means (e.g., phishing, credential stuffing, or password reuse).
- The attacker initiates a login attempt to the Kimai web UI (
/en/auth/login) using the compromised credentials. - Kimai's authentication process validates the provided password and, before prompting for the Two-Factor Authentication (TOTP) code, issues a
KIMAI_SESSIONcookie. - The attacker intercepts this
KIMAI_SESSIONcookie from the HTTP response, prior to the TOTP verification step. - The attacker then crafts subsequent HTTP requests to any
/api/*endpoint, including the interceptedKIMAI_SESSIONcookie in the request headers. - Due to a logical flaw in Kimai's API firewall and
APIVoter(specifically usingIS_AUTHENTICATEDinstead ofIS_AUTHENTICATED_REMEMBEREDand not properly checkingTwoFactorTokenInterfacestatus), the API treats the session as fully authenticated. - This grants the attacker complete, unauthorized access to the Kimai REST API, allowing them to perform any actions permitted to the compromised user, effectively bypassing the intended 2FA protection.
- The attacker can now exfiltrate sensitive data, manipulate time entries, or perform other malicious actions via the API.
Impact
This vulnerability completely neutralizes the protection offered by Two-Factor Authentication for Kimai's REST API. If an attacker successfully compromises a user's password, they gain full authenticated API access, irrespective of whether 2FA is enabled for that account. This can lead to unauthorized access to sensitive user data, manipulation of time tracking entries, and other critical business functions managed via the API. The exploit requires only the compromised password and the KIMAI_SESSION cookie, making it a straightforward attack vector.
Recommendation
- Patch Kimai installations immediately to version 2.59.0 or later to address CVE-2026-52827, which includes updated API firewall logic.
- Verify that the
config/packages/security.yamlfile in your Kimai instance correctly utilizesIS_AUTHENTICATED_REMEMBEREDfor API paths and that theAPIVoterchecks forTwoFactorTokenInterfaceandIS_AUTHENTICATED_2FA_IN_PROGRESSstatus, as outlined in the solution section of the advisory.