CVE-2026-49865

MEDIUMPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Kimai has Server-Side Request Forgery in Invoice PDF Rendering via Markdown Image URLs

Summary

Kimai 2.56.0 contains a server-side request forgery vulnerability in its invoice PDF preview and generation workflow. If an attacker can control Markdown content that is later rendered into an invoice PDF, such as Customer.invoiceText, the server-side PDF renderer will fetch remote image URLs embedded in Markdown image syntax.

This allows the application server to issue outbound requests to attacker-controlled or internal targets during PDF rendering. The behavior can be used for internal network probing, server-side reachability checks, and potentially follow-on exploitation depending on deployment environment and accessible internal services.

Details

The vulnerable behavior occurs in the invoice rendering chain when user-controlled Markdown is transformed into HTML and then rendered by mPDF.

  • First, customer invoice text is copied into the invoice model.
. Second, the default PDF invoice template renders that field through the Markdown-to-HTML filter.
  • Third, md2html enables full Markdown rendering.
  • Although safe mode is enabled, the tested Markdown image syntax still survives into the rendered HTML chain in a form that causes the PDF renderer to fetch the image resource.
  • Finally, the HTML is handed to mPDF.

The live test confirms that mPDF attempts to retrieve the remote image URL from the server side during PDF preview. This means the issue is not a template-injection problem but an SSRF condition caused by the rendering pipeline:

  • attacker-controlled Markdown
  • Markdown converted to HTML
  • HTML rendered by mPDF
  • mPDF fetches remote image resources from the server side

*A PoC was provided, but removed for security reasons.*

Impact

This vulnerability allows an attacker who can influence invoice-rendered Markdown fields to cause the Kimai server to make outbound requests to arbitrary destinations. In real deployments, this can be used to probe internal services, test access to internal administrative or metadata endpoints, and confirm server-side reachability to attacker-controlled infrastructure.

Depending on the environment, SSRF can also become a stepping stone toward more serious outcomes, such as triggering side effects on internal HTTP services or extracting sensitive information from services reachable only by the server. Because invoice generation is commonly performed by administrative or finance-related users, the feature is realistically reachable in business workflows.

Solution

  • Kimai does not allow to use markdown images any longer and converts them to HTML links instead
  • Kimai uses a specialized HttpClient for mPDF (called NoPrivateNetworkHttpClient), which prevents access to a variety of URLs, the full list can be fetched from the documentation
  • This change can be a BC break, if someone used
  • the Kimai domain for hosting invoice or export template images
  • an internal IP for hosting invoice or export template images

See https://www.kimai.org/en/security/ghsa-pj8j-p4g4-4vw8

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

July 10, 2026

Last Modified

July 10, 2026

Vendor Advisories for CVE-2026-49865(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 1× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-10 16:14 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-49865?
CVE-2026-49865 is a medium vulnerability published on July 10, 2026. Kimai has Server-Side Request Forgery in Invoice PDF Rendering via Markdown Image URLs Summary Kimai 2.56.0 contains a server-side request forgery vulnerability in its invoice PDF preview and generation workflow. If an attacker can control Markdown content that is later rendered into an invoice…
When was CVE-2026-49865 disclosed?
CVE-2026-49865 was first published in the National Vulnerability Database on July 10, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-49865?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-49865, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-49865

Explore →

Is Your Infrastructure Affected by CVE-2026-49865?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.