<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Kimai (Docker Image) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/kimai-docker-image/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 00:08:54 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/kimai-docker-image/feed.xml" rel="self" type="application/rss+xml"/><item><title>Kimai Docker Image Default APP_SECRET Allows Account Takeover (CVE-2026-52824)</title><link>https://feed.craftedsignal.io/briefs/2026-07-kimai-docker-app-secret/</link><pubDate>Tue, 14 Jul 2026 00:08:54 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-kimai-docker-app-secret/</guid><description>A critical vulnerability, CVE-2026-52824, in the official Kimai Docker image allows unauthenticated attackers to forge authentication tokens and achieve account takeover, including super_admin accounts, due to the image shipping with a default, publicly known APP_SECRET environment variable used by Symfony to HMAC-sign session cookies and login links.</description><content:encoded><![CDATA[<p>A critical vulnerability (CVE-2026-52824) affects the official Kimai Docker image, enabling unauthenticated attackers to achieve full account takeover. The root cause is the Docker image shipping with a hardcoded <code>APP_SECRET=change_this_to_something_unique</code> environment variable, which is a known secret. This <code>APP_SECRET</code> is used by the underlying Symfony framework to HMAC-sign sensitive data such as the <code>KIMAI_REMEMBER</code> cookie, login links, and password reset URLs. If a Kimai instance is deployed via Docker without explicitly overriding this default <code>APP_SECRET</code>, an attacker can leverage this known value to forge valid authentication tokens. This allows them to bypass authentication and log in as any user, including <code>super_admin</code>, provided the attacker knows the username, can guess the sequential user ID, and the target account does not have 2FA enabled. The vulnerability affects Kimai versions up to and including 2.57.0.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Reconnaissance</strong>: An unauthenticated attacker identifies an internet-exposed Kimai instance.</li>
<li><strong>Vulnerability Identification</strong>: The attacker determines that the Kimai instance is running the official Docker image with the default, known <code>APP_SECRET</code>.</li>
<li><strong>Target Identification</strong>: The attacker identifies a target username (e.g., <code>super_admin</code>) and guesses the corresponding sequential user ID (often 1 for the initial admin account).</li>
<li><strong>Token Forgery</strong>: Using the publicly known default <code>APP_SECRET</code> (<code>change_this_to_something_unique</code>), the attacker crafts a valid HMAC-signed <code>KIMAI_REMEMBER</code> cookie or a login link URL for the target user ID.</li>
<li><strong>Authentication Bypass</strong>: The attacker sends the forged cookie in an HTTP request to the Kimai instance or navigates directly to the forged login link.</li>
<li><strong>Account Takeover</strong>: The vulnerable Kimai instance validates the forged cookie or login link using the default <code>APP_SECRET</code> and grants the attacker authenticated access to the target user's account without requiring valid credentials.</li>
<li><strong>Post-Exploitation</strong>: The attacker gains full control over the compromised user's account, potentially performing further actions like privilege escalation, data exfiltration, or establishing additional persistence.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Any Kimai instance deployed via its official Docker image without overriding the default <code>APP_SECRET</code> is critically vulnerable to unauthenticated account takeover. An attacker can compromise <code>super_admin</code> accounts, leading to full control over the Kimai application, its data, and potentially integrated systems. This can result in unauthorized access to sensitive project and user data, manipulation of timesheets, or disruption of business operations. The attacker only needs to know a username, guess a sequential user ID, and the account must not have active two-factor authentication. This vulnerability affects a broad range of organizations using Kimai for time tracking and project management.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-52824</strong>: Immediately update all Kimai instances to a patched version (newer than 2.57.0), which includes updates to <code>entrypoint.sh</code> to generate a random <code>APP_SECRET</code> and removes the default from the Dockerfile.</li>
<li><strong>Configure APP_SECRET</strong>: For all Kimai Docker deployments, explicitly set a unique and strong <code>APP_SECRET</code> environment variable using Docker secrets or Kubernetes secrets management. Do not rely on the default value.</li>
<li><strong>Review Documentation</strong>: Refer to the updated Kimai security documentation (linked in references) for best practices regarding <code>APP_SECRET</code> configuration.</li>
<li><strong>Enable Multi-Factor Authentication</strong>: For critical accounts, enable 2FA where available to add an additional layer of security, as the attack is mitigated if 2FA is active.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>vulnerability</category><category>web-application</category><category>misconfiguration</category><category>account-takeover</category><category>docker</category></item></channel></rss>