Product
A critical vulnerability, CVE-2026-52824, in the official Kimai Docker image allows unauthenticated attackers to forge authentication tokens and achieve account takeover, including super_admin accounts, due to the image shipping with a default, publicly known APP_SECRET environment variable used by Symfony to HMAC-sign session cookies and login links.