Skip to content

Release history

kimai releases

Kimai is the #1 open-source time-tracking application. From freelancers to companies and organisations - everyone can manage timesheets, generate reports, create invoices and so much more... Web-based multi-user application, available as On-Premise or SaaS version: https://www.kimai.org

Back to tool Latest release

All releases

13 shown

Review required
2.58.0 Breaking risk
Auth RBAC RCE / SSRF

Security hardening + wizard disable

Open
Review required
2.57.0 Breaking risk
Auth RBAC Dependencies

Security hardenings

Open
2.56.0 Breaking risk
Breaking changes
  • Minimum PHP version requirement raised to 8.2
Notable features
  • New API endpoints for downloading and managing invoices
  • Re-usable ACL checks on teams with improved xxx_other_timesheet permissions
  • Improved ./kimai.sh management script
Full changelog

Compatible with PHP 8.2 to 8.5

‼️ The required minimum PHP version is now 8.2 (see below) ‼️

  • Added Catalan translation (#5921)
  • New API endpoint to download invoices (#5926)
  • New API endpoint to save invoice meta-fields (#5916)
  • Re-usable ACL checks on teams, xxx_other_timesheet permissions respect teams (#5925)
  • Whitelist PDF context options (#5924)
  • Twig config improvements (#5923)
  • Improved management script ./kimai.sh - please test and leave your feedback (#5909)
  • Translations update from Hosted Weblate (#5911)

⚠️⚠️⚠️ The required minimum PHP version is now 8.2 ⚠️⚠️⚠️

If you are still using PHP 8.1, please be aware it is EOL and does not receive security updates any longer. Many libraries added 8.2 as minimum requirements, so Kimai has to follow to receive updates.

If you have to upgrade to a newer version, do yourself the favor and upgrade directly to PHP 8.5.
The requirement for 8.2 is an intermediate solution for the near future, and the requirement will be raised to 8.5 rather sooner than later.

Involved in this release: @kevinpapst, @ntrpc-tech, @nullvector1, @melnicek, @fg0x0

View release on GitHub
2.55.0 Bug fix

Minor fixes and improvements.

Full changelog

Compatible with PHP 8.1 to 8.5

  • System-Account flag should always be editable (#5907)
  • Use absolute avatar URLs in Fixtures (#5907)
  • Explain importance of TRUSTED_HOSTS in .env (#5907)
  • Fix exporter column styles (duration, internal price and maybe more) (#5907)
  • Translations update from Hosted Weblate (#5904)

Involved in this release: @kevinpapst

View release on GitHub
2.54.0 Breaking risk
⚠ Upgrade required
  • PHP 8.1 to 8.5 supported
Breaking changes
  • API password authentication removed (long deprecated)
  • Avatar URL fields must be absolute URLs (relative URLs no longer accepted)
  • The = character is no longer allowed in name fields
Security fixes
  • Hardened permission checks on context-menu actions for specific items
Notable features
  • Added working_day() twig test for template rendering
  • Improved Team API documentation
  • Enhanced XLSX exports with StringCell formatting and formula identifier validation
Full changelog

Compatible with PHP 8.1 to 8.5

  • Avatar URL fields need to be a real absolute URL (#5896)
  • Do not allow the = character in name fields (#5896)
  • Sunset long deprecated API passwords (#5896)
  • Hardening permission checks on context-menu actions for specific items (#5896)
  • Added working_day() twig test (#5896)
  • Improved Team API docs (#5897)
  • Let view_team permission be handled by global ACLs (#5897)
  • Check for IsGranted('edit', 'team') instead of IsGranted('edit_team') (#5897)
  • Use StringCell for all exported content that is of type string for XSLX exports (#5899)
  • Always check for formula identifier, not only in position 0 in XLSX invoice (#5899)
  • Translations update from Hosted Weblate (#5892)

Involved in this release: @kevinpapst, @melnicek, @satexd, @hett-patell, @AzureADTrent

View release on GitHub
2.53.0 Mixed
Security fixes
  • RelayState sanitization before redirect
  • User attribute escaping to prevent quote injection
  • Restricted access to deprecated API password hashes via Twig SecurityPolicy
Notable features
  • New RelayState cleanup configuration
  • Improved opcache deactivation handling
  • Fetch PHP extension requirements via composer for Doctor screen
View release on GitHub
2.52.0 Maintenance

Updated dependencies to latest versions. Added spacer configuration for date_weekday Twig filter. Added more styles for absence entries with updated translations.

View release on GitHub
2.51.0 Security relevant
Security fixes
  • Customer permission checks in invoice API (GHSA-v33r-r6h2-8wr7)
View release on GitHub
2.50.0 Breaking risk
Breaking changes
  • Removed support for file:// URLs in Markdown
Notable features
  • Fixed timesheet break handling in weekly hours screen
View release on GitHub
2.49.0 New feature
Notable features
  • Column summarization per customer
  • Plugin access to working-time data
View release on GitHub
2.48.0 New feature
Notable features
  • Export template configuration for regular users
  • Apache Docker stable tag
  • DayAddOn type attribute and styling
View release on GitHub
2.47.0 Maintenance
Breaking changes
  • FPM Docker tags no longer created
Security fixes
  • Twig security hardening for invoice and export templates
Notable features
  • Enhanced Twig template security
  • Self-contained print export template
View release on GitHub
2.46.0 Security relevant
Security fixes
  • Added security check for sensitive data in Twig export templates
View release on GitHub

Beta — feedback welcome: [email protected]