<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Kimai (&lt; 2.59.0) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/kimai--2.59.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 00:35:22 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/kimai--2.59.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>Kimai REST API Two-Factor Authentication Bypass Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-kimai-2fa-bypass/</link><pubDate>Tue, 14 Jul 2026 00:35:22 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-kimai-2fa-bypass/</guid><description>A critical vulnerability, CVE-2026-52827, in Kimai versions prior to 2.59.0 allows an attacker who has compromised a user's password to bypass Two-Factor Authentication (TOTP) for the REST API by intercepting and replaying the `KIMAI_SESSION` cookie obtained after password verification but before TOTP completion, granting full authenticated API access.</description><content:encoded><![CDATA[<p>A critical authentication bypass vulnerability, identified as CVE-2026-52827, affects Kimai versions prior to 2.59.0, allowing attackers to circumvent Two-Factor Authentication (TOTP) for the REST API. This flaw enables an attacker who has compromised a user's password to obtain a <code>KIMAI_SESSION</code> cookie during the initial login phase, even before the TOTP step is completed. By replaying this cookie against any <code>/api/*</code> endpoint, the attacker gains full authenticated API access as the legitimate user without ever needing to provide the second authentication factor. This vulnerability effectively nullifies 2FA protection for Kimai's API, exposing affected instances to unauthorized data access and manipulation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker obtains a user's password for a Kimai instance through various means (e.g., phishing, credential stuffing, or password reuse).</li>
<li>The attacker initiates a login attempt to the Kimai web UI (<code>/en/auth/login</code>) using the compromised credentials.</li>
<li>Kimai's authentication process validates the provided password and, before prompting for the Two-Factor Authentication (TOTP) code, issues a <code>KIMAI_SESSION</code> cookie.</li>
<li>The attacker intercepts this <code>KIMAI_SESSION</code> cookie from the HTTP response, prior to the TOTP verification step.</li>
<li>The attacker then crafts subsequent HTTP requests to any <code>/api/*</code> endpoint, including the intercepted <code>KIMAI_SESSION</code> cookie in the request headers.</li>
<li>Due to a logical flaw in Kimai's API firewall and <code>APIVoter</code> (specifically using <code>IS_AUTHENTICATED</code> instead of <code>IS_AUTHENTICATED_REMEMBERED</code> and not properly checking <code>TwoFactorTokenInterface</code> status), the API treats the session as fully authenticated.</li>
<li>This grants the attacker complete, unauthorized access to the Kimai REST API, allowing them to perform any actions permitted to the compromised user, effectively bypassing the intended 2FA protection.</li>
<li>The attacker can now exfiltrate sensitive data, manipulate time entries, or perform other malicious actions via the API.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability completely neutralizes the protection offered by Two-Factor Authentication for Kimai's REST API. If an attacker successfully compromises a user's password, they gain full authenticated API access, irrespective of whether 2FA is enabled for that account. This can lead to unauthorized access to sensitive user data, manipulation of time tracking entries, and other critical business functions managed via the API. The exploit requires only the compromised password and the <code>KIMAI_SESSION</code> cookie, making it a straightforward attack vector.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch Kimai installations immediately to version 2.59.0 or later to address CVE-2026-52827, which includes updated API firewall logic.</li>
<li>Verify that the <code>config/packages/security.yaml</code> file in your Kimai instance correctly utilizes <code>IS_AUTHENTICATED_REMEMBERED</code> for API paths and that the <code>APIVoter</code> checks for <code>TwoFactorTokenInterface</code> and <code>IS_AUTHENTICATED_2FA_IN_PROGRESS</code> status, as outlined in the solution section of the advisory.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>kimai</category><category>api</category><category>2fa-bypass</category><category>vulnerability</category><category>web-application</category></item></channel></rss>