Information Exposure Through Timing Discrepancy in kimai2 - #VU126577
Published: April 20, 2026
Vulnerability identifier: #VU126577
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-208
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Kevin Papst
Affected software:
kimai2
kimai2
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose valid usernames via a timing side channel.
The vulnerability exists due to observable timing discrepancy in src/API/Authentication/TokenAuthenticator.php when handling requests with the legacy X-AUTH-USER and X-AUTH-TOKEN headers. A remote attacker can send specially crafted authentication requests and measure response times to disclose valid usernames via a timing side channel.
The response body and HTTP status are identical for valid and invalid usernames, and no prior authentication, API token, or session cookie is required.
Remediation
Install security update from vendor's website.