Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-pj8j-p4g4-4vw8: Kimai has Server-Side Request Forgery in Invoice PDF Rendering via Markdown Image URLs

0
Medium
Published: 07/10/2026 (07/10/2026, 16:04:40 UTC)
Source: GCVE Database
Product: kimai/kimai

Description

Kimai versions prior to 2.58.0 contain a server-side request forgery (SSRF) vulnerability in the invoice PDF rendering process. This occurs when user-controlled Markdown content, such as customer invoice text, is converted to HTML and rendered into PDFs using mPDF. The renderer fetches remote image URLs embedded in Markdown image syntax from the server side, allowing attackers to cause outbound requests to arbitrary destinations. This can be leveraged for internal network probing and server-side reachability checks. Kimai has mitigated this by disabling Markdown image rendering and using a specialized HTTP client that blocks access to private network addresses during PDF generation.

CVSS v4.0

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User Interaction
None
Vuln. Confidentiality
None
Vuln. Integrity
None
Vuln. Availability
None
Subsq. Confidentiality
Low
Subsq. Integrity
None
Subsq. Availability
None
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Affected software

Packagistghsa
kimai/kimai
Affected versions
<2.58.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/11/2026, 10:08:09 UTC

Technical Analysis

Kimai 2.56.0 and earlier versions have an SSRF vulnerability in the invoice PDF preview and generation workflow. When attacker-controlled Markdown content containing image URLs is rendered into PDF, the mPDF renderer fetches these remote images server-side. This enables an attacker with control over invoice Markdown fields to make the Kimai server issue outbound HTTP requests to arbitrary or internal network targets. The vulnerability arises because Markdown images survive the Markdown-to-HTML conversion and are fetched by mPDF during PDF rendering. The issue is not template injection but SSRF caused by the rendering pipeline. The vulnerability is mitigated in Kimai 2.58.0 by disabling Markdown image rendering and using a restricted HTTP client that prevents access to private network addresses.

Potential Impact

An attacker able to influence invoice-rendered Markdown fields can cause the Kimai server to make arbitrary outbound HTTP requests. This can be used to probe internal network services, test access to internal administrative endpoints, and confirm server-side reachability to attacker-controlled infrastructure. Depending on deployment, this SSRF could lead to further exploitation such as triggering side effects on internal services or extracting sensitive information accessible only from the server. Since invoice generation is typically performed by administrative or finance users, the vulnerability is realistically exploitable in business workflows.

Mitigation Recommendations

Kimai 2.58.0 and later versions have mitigations that disable Markdown image rendering by converting them to HTML links instead. Additionally, Kimai uses a specialized HTTP client (`NoPrivateNetworkHttpClient`) for mPDF that blocks requests to private network addresses and other restricted URLs. Users should upgrade to version 2.58.0 or later to apply these fixes. Note that this change may cause backward compatibility issues if invoice or export templates rely on hosting images on the Kimai domain or internal IP addresses. Patch status: An official fix is available in Kimai 2.58.0.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-pj8j-p4g4-4vw8
Osv Schema Version
1.4.0
Aliases
["CVE-2026-49865"]
Ecosystems
["Packagist"]
Database Specific Severity
MODERATE
Cvss Version
4.0

Threat ID: 6a520ee668715ace4391cece

Added to database: 07/11/2026, 09:37:42 UTC

Last enriched: 07/11/2026, 10:08:09 UTC

Last updated: 07/11/2026, 10:08:09 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses