Skip to content

kimai

v2.58.0 Security

This release includes 9 security fixes for security teams reviewing exposed deployments.

Published 9d Productivity & Wikis
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 9 known CVEs

Topics

doctrine invoice invoicing kimai multilanguage php
+9 more
self-hosted symfony tabler time-tracker time-tracking timetracker timetracking timetrackingapp twig

Affected surfaces

auth rbac rce_ssrf

ReleasePort's take

Light signal
editorial:auto 9d

Release 2.58.0 adds a user‑onboarding toggle and migrates the frontend to PNPM while fixing several security gaps.

Why it matters: Security fixes prevent password‑reset link reuse, CSRF on timesheet endpoints, unsafe image rendering, and external fetches; feature flag disables first‑time wizard for new users (severity 40); dependency shift to PNPM may affect build pipelines.

Summary

AI summary

Updates Fix, Docker, and CI across a mixed release.

Changes in this release

Security High

Prevent re-use of Password-Reset link

Prevent re-use of Password-Reset link

Source: llm_adapter@2026-05-25

Confidence: high
Security High

Removed API timesheet stop/restart GET endpoints to prevent CSRF

Removed API timesheet stop/restart GET endpoints to prevent CSRF

Source: llm_adapter@2026-05-25

Confidence: high
Security High

Prevent rendering images via markdown in custom templates

Prevent rendering images via markdown in custom templates

Source: llm_adapter@2026-05-25

Confidence: high
Security High

Use a safe network client for fetching eternal sources in custom templates

Use a safe network client for fetching eternal sources in custom templates

Source: llm_adapter@2026-05-25

Confidence: high
Security High

Verify current user can see user/activity when editing team via API

Verify current user can see user/activity when editing team via API

Source: llm_adapter@2026-05-25

Confidence: high
Security High

Move create default team routes to API to prevent CSRF

Move create default team routes to API to prevent CSRF

Source: llm_adapter@2026-05-25

Confidence: high
Security Medium

User permissions <name>_other_profile now respect teams

User permissions <name>_other_profile now respect teams

Source: granite4.1:30b@2026-05-25-audit

Confidence: low
Security Medium

Added audit job to scan frontend dependencies for known vulnerabilities in CI

Added audit job to scan frontend dependencies for known vulnerabilities in CI

Source: granite4.1:30b@2026-05-25-audit

Confidence: low
Security Medium

Added zizmor security check for GitHub Action workflows in CI

Added zizmor security check for GitHub Action workflows in CI

Source: granite4.1:30b@2026-05-25-audit

Confidence: low
Security Medium

Verify Project permissions in Timesheet Restart and Duplicate operations

Verify Project permissions in Timesheet Restart and Duplicate operations

Source: granite4.1:30b@2026-05-25-audit

Confidence: low
Security Medium

Prevent teamleads from creating ExportTemplate via hidden button

Prevent teamleads from creating ExportTemplate via hidden button

Source: granite4.1:30b@2026-05-25-audit

Confidence: low
Feature Medium

Adds a setting to disable first time wizard for new users

Adds a setting to disable first time wizard for new users

Source: llm_adapter@2026-05-25

Confidence: high
Dependency Medium

Switch to PNPM for frontend dependencies

Switch to PNPM for frontend dependencies

Source: llm_adapter@2026-05-25

Confidence: high
Performance Low

Relax upper PHP version requirement

Relax upper PHP version requirement

Source: granite4.1:30b@2026-05-25-audit

Confidence: low
Bugfix Medium

Fix: actions could trigger GET requests to the API

Fix: actions could trigger GET requests to the API

Source: llm_adapter@2026-05-25

Confidence: high
Bugfix Medium

Fix: sticky tooltip survives page reload

Fix: sticky tooltip survives page reload

Source: llm_adapter@2026-05-25

Confidence: high
Full changelog

Compatible with PHP 8.2 to 8.5

  • Adds a setting to disable first time wizard for new users (#5938) - thanks @tofuSCHNITZEL
  • Switch to PNPM for frontend dependencies (#5953)
  • New wizard images (#5952)
  • Split wizards and password reset subscriber into two classes (#5952)
  • Relax upper PHP version (#5952)
  • Fix: sticky tooltip survives page reload (#5952)
  • Fix: actions could trigger GET requests to the API (#5952)
  • Fix: formatting locale reset after embedded controller sub-requests (#5944) - thanks @cheriimoya
  • Split CI lint and test jobs in separate workflows (#5952)
  • Docker: use tag as ref for checkout and build from local code (#5952)
  • Docker: new docker image version name (#5952)

Security

This release contains quite a few security related improvements and fixes (yep, LLMs are pretty strong nowadays).

  • User permissions <name>_other_profile now respect teams
  • CI: Added audit job to scan frontend deps for known vulnerabilities
  • CI: Added zizmor for GitHub action workflow security
  • Verify Project permissions in Timesheet Restart and Duplicate - thanks @Mitchell45
  • Prevent re-use of Password-Reset link - thanks @AzureADTrent
  • Auto generated APP_SECRET in Docker images - thanks @AzureADTrent
  • Removed API timesheet stop/restart GET endpoints to prevent CSRF - thanks @Mitchell45
  • Teamleads could create ExportTemplate besides hidden button - thanks @AzureADTrent
  • Prevent rendering images via markdown in custom templates - thanks @Mitchell45
  • Use a safe network client for fetching eternal sources in custom templates - thanks @Mitchell45
  • Verify current user can see user/activity when editing team via API - thanks @Mitchell45
  • Move create default team routes to API to prevent CSRF - thanks @Mitchell45

Involved in this release: @kevinpapst and @cheriimoya and @tofuSCHNITZEL and @Mitchell45 and @AzureADTrent

Breaking Changes

  • Removed API timesheet stop/restart GET endpoints to prevent CSRF

Security Fixes

  • _other_profile user permission now respects teams
  • CI audit job scans frontend dependencies for known vulnerabilities (zizmor)
  • Prevent re‑use of password‑reset link
  • Auto‑generated APP_SECRET in Docker images
  • Verify project permissions in Timesheet Restart and Duplicate
  • Prevent rendering images via markdown in custom templates
  • Use safe network client for fetching external sources in custom templates
  • Verify current user can see user/activity when editing team via API
  • Move create default team routes to API to prevent CSRF
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track kimai

Get notified when new releases ship.

Sign up free

About kimai

Kimai is the #1 open-source time-tracking application. From freelancers to companies and organisations - everyone can manage timesheets, generate reports, create invoices and so much more... Web-based multi-user application, available as On-Premise or SaaS version: https://www.kimai.org

All releases →

Related context

Related tools

Beta — feedback welcome: [email protected]