Product
A critical vulnerability, CVE-2026-52827, in Kimai versions prior to 2.59.0 allows an attacker who has compromised a user's password to bypass Two-Factor Authentication (TOTP) for the REST API by intercepting and replaying the `KIMAI_SESSION` cookie obtained after password verification but before TOTP completion, granting full authenticated API access.