Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover
🔗 CVE IDs covered (1)
📋 Description
Summary
The official Kimai Docker image ships with APP_SECRET=change_this_to_something_unique as the default environment variable. The Docker entrypoint does not override or validate this value. Any Kimai instance deployed using the Docker image without explicitly setting APP_SECRET runs with a publicly-known Symfony kernel.secret, enabling an unauthenticated attacker to forge HMAC-signed cookies and login links to take over any account including super_admin.
Details
Dockerfile:263 sets ENV APP_SECRET=change_this_to_something_unique. This value is consumed by config/packages/framework.yaml:7 as kernel.secret, which Symfony uses to HMAC-sign:
- The
KIMAI_REMEMBERremember-me cookie - LoginLink signatures
- Password reset URLs
- CSRF tokens
The .docker/entrypoint.sh does not check for or replace the default sentinel value. The bare-metal .env.dist:38 ships the same default. No startup-time guard exists anywhere in the codebase that refuses to start when APP_SECRET equals the sentinel.
User IDs are sequential integers starting from 1. The first super_admin account is almost always id=1. User IDs are visible in some URLs and API responses.
A PoC was provided, but removed for security reasons.
Impact
Any Kimai instance deployed via the official Docker image without overriding APP_SECRET can be compromised from the internet. An unauthenticated attacker who can reach the Kimai URL can forge authentication tokens and log in as any user if:
- a username is known AND
- the correct account ID for this username is guessed AND
- the account has no active 2FA (two factor) authentication
Solution
- The entrypoint.sh file is updated and now contains a script that generates a random
APP_SECRETviabin2hex(random_bytes(32))which will be stored in/opt/kimai/var/data/.appsecret - The entrypoint.sh will create the file
/opt/kimai/.env.localcontaining theAPP_SECRET, either fetched from the Docker Environment or from the newly created secret file - The documentation was updated to highlight the importance of using a random secret for
APP_SECRET - The Dockerfile removed default
APP_SECRET=change_this_to_something_unique - Login links now contain more entropy (see GHSA-m492-gv72-xvxj) - so even without all previous changes, attackers won't be able to generate Login links even for installations that have a hard-coded
APP_SECRET=change_this_to_something_unique
See https://www.kimai.org/en/security/ghsa-jr9p-4h4j-6c58 for more information.
🎯 Affected products1
- composer/kimai/kimai:<= 2.57.0