kimai

Productivity & Wikis

Open‑source professional time‑tracking application for freelancers and companies

Track releases GitHub Website

PHP Latest 2.58.0 · 9d ago Security brief →

Features

JSON API for integration
Invoicing and data export capabilities
Multi‑user, multi‑timezone, multi‑language support (30+ translations)
Advanced authentication (SAML/LDAP/Database) with TOTP 2FA
Customizable roles, permissions, budgets and reporting

Recent releases

View all 13 releases →

Review required

2.58.0 Breaking risk 9d

Auth RBAC RCE / SSRF

Security hardening + wizard disable

Open

Review required

2.57.0 Breaking risk 13d

Auth RBAC Dependencies

Security hardenings

Open

2.56.0 Breaking risk 1mo

Breaking changes

Minimum PHP version requirement raised to 8.2

Notable features

New API endpoints for downloading and managing invoices
Re-usable ACL checks on teams with improved xxx_other_timesheet permissions
Improved ./kimai.sh management script

Full changelog

Compatible with PHP 8.2 to 8.5

‼️ The required minimum PHP version is now 8.2 (see below) ‼️

Added Catalan translation (#5921)
New API endpoint to download invoices (#5926)
New API endpoint to save invoice meta-fields (#5916)
Re-usable ACL checks on teams, xxx_other_timesheet permissions respect teams (#5925)
Whitelist PDF context options (#5924)
Twig config improvements (#5923)
Improved management script ./kimai.sh - please test and leave your feedback (#5909)
Translations update from Hosted Weblate (#5911)

⚠️⚠️⚠️ The required minimum PHP version is now 8.2 ⚠️⚠️⚠️

If you are still using PHP 8.1, please be aware it is EOL and does not receive security updates any longer. Many libraries added 8.2 as minimum requirements, so Kimai has to follow to receive updates.

If you have to upgrade to a newer version, do yourself the favor and upgrade directly to PHP 8.5.
The requirement for 8.2 is an intermediate solution for the near future, and the requirement will be raised to 8.5 rather sooner than later.

Involved in this release: @kevinpapst, @ntrpc-tech, @nullvector1, @melnicek, @fg0x0

View release on GitHub

2.55.0 Bug fix 1mo

Minor fixes and improvements.

Full changelog

Compatible with PHP 8.1 to 8.5

System-Account flag should always be editable (#5907)
Use absolute avatar URLs in Fixtures (#5907)
Explain importance of TRUSTED_HOSTS in .env (#5907)
Fix exporter column styles (duration, internal price and maybe more) (#5907)
Translations update from Hosted Weblate (#5904)

Involved in this release: @kevinpapst

View release on GitHub

2.54.0 Breaking risk 1mo

⚠ Upgrade required

PHP 8.1 to 8.5 supported

Breaking changes

API password authentication removed (long deprecated)
Avatar URL fields must be absolute URLs (relative URLs no longer accepted)
The = character is no longer allowed in name fields

Security fixes

Hardened permission checks on context-menu actions for specific items

Notable features

Added working_day() twig test for template rendering
Improved Team API documentation
Enhanced XLSX exports with StringCell formatting and formula identifier validation

Full changelog

Compatible with PHP 8.1 to 8.5

Avatar URL fields need to be a real absolute URL (#5896)
Do not allow the = character in name fields (#5896)
Sunset long deprecated API passwords (#5896)
Hardening permission checks on context-menu actions for specific items (#5896)
Added working_day() twig test (#5896)
Improved Team API docs (#5897)
Let view_team permission be handled by global ACLs (#5897)
Check for IsGranted('edit', 'team') instead of IsGranted('edit_team') (#5897)
Use StringCell for all exported content that is of type string for XSLX exports (#5899)
Always check for formula identifier, not only in position 0 in XLSX invoice (#5899)
Translations update from Hosted Weblate (#5892)