Kimai, Server-Side Request Forgery (SSRF), CVE-2026-49865 (Medium) -DC-Jul2026-854

Listen to this Post

Kimai versions up to and including 2.57.0 are vulnerable to a server-side request forgery (SSRF) attack within the invoice PDF preview and generation workflow. The root cause is the PDF rendering engine’s (mPDF) handling of Markdown images. A user with permission to edit a customer’s invoice text can embed a specially crafted Markdown image reference into that field. When the invoice is generated or previewed, the Markdown is converted to HTML and passed to mPDF. The PDF renderer then attempts to fetch the image URL directly from the application server.
This process occurs without any restrictions on the target address, allowing the server to make outbound requests to arbitrary destinations, including internal network services, metadata endpoints, or attacker-controlled infrastructure. This behavior can be exploited to probe internal networks, verify server-side reachability, and potentially interact with internal HTTP services. The vulnerability has been assigned the CVE identifier CVE-2026-49865.
The flaw lies in the invoice rendering chain, where user-controlled Markdown is transformed into HTML and then rendered by mPDF. Although safe mode is enabled, the Markdown image syntax still results in the PDF renderer fetching the image resource. This is not a template-injection problem but an SSRF condition caused by the rendering pipeline: attacker-controlled Markdown → Markdown converted to HTML → HTML rendered by mPDF → mPDF fetches remote image resources from the server side.
Because invoice generation is commonly performed by administrative or finance-related users, this feature is realistically reachable in business workflows, making the vulnerability a credible threat. The issue affects all Kimai installations, both OnPremise and Cloud. A proof of concept (PoC) was provided but removed for security reasons.

DailyCVE Form

Platform: Kimai
Version: <=2.57.0
Vulnerability: Server-Side Request Forgery
Severity: Medium
Date: 2026-06-04

Prediction: 2026-07-15

What Undercode Say

The following analytics, bash commands, and codes are related to the vulnerability and its mitigation:

Analytics:

  • Attack Vector: Remote
  • Privileges Required: Low (edit customer invoice text)
  • User Interaction: None
  • Exploit Availability: No public exploit
  • CWE: CWE-918

Bash Commands and Codes:

Check current Kimai version
php bin/console kimai:version
Verify if the instance is vulnerable (example check for the fix)
grep -r "NoPrivateNetworkHttpClient" /path/to/kimai/vendor/
Update to the patched version (2.58.0 or newer)
composer update kimai/kimai
bin/console cache:clear

Example vulnerable Markdown payload (for educational purposes):

<img src="http://169.254.169.254/latest/meta-data/" alt="Internal Probe" />

How Exploit

An attacker with permission to edit a customer’s invoice text can exploit this vulnerability. The process is as follows:
1. Access the Customer Record: The attacker gains access to edit a customer’s details, specifically the `Customer.invoiceText` field.
2. Inject Malicious Markdown: The attacker inserts a Markdown image syntax into the invoice text field, pointing to an internal or attacker-controlled URL. Example: ![Probe](http://internal-service.local/secret).
3. Trigger Invoice Generation: The attacker initiates an invoice preview or generation process that includes the modified customer data.
4. Server-Side Request: The application converts the Markdown to HTML and passes it to the mPDF renderer. mPDF, in turn, attempts to fetch the image from the specified URL.
5. SSRF Realized: The Kimai server makes an outbound HTTP request to the target URL, which could be an internal service, metadata endpoint (e.g., AWS metadata at 169.254.169.254), or an attacker’s server. The attacker can then use this to probe internal networks, access sensitive data, or send malicious requests.

Protection

The following protections have been implemented to mitigate this vulnerability:
– Markdown Image Handling: Kimai no longer renders Markdown image syntax. Images are converted to plain HTML links instead, preventing the PDF renderer from fetching remote URLs.
– Restricted HTTP Client: mPDF now uses a restricted HTTP client (NoPrivateNetworkHttpClient) that blocks requests to private network addresses. This limits the scope of any remaining image-loading behavior. The full list of blocked URLs can be found in the PDF templates documentation.
Important Note: These changes may be a breaking change for users who previously embedded images hosted on the Kimai domain itself or on an internal IP address. Users should update to Kimai 2.58.0 or newer.

Impact

  • Internal Network Probing: An attacker can use the SSRF to scan internal networks, identify live hosts, and discover services that are not accessible from the outside.
  • Access to Sensitive Data: The server can be tricked into accessing sensitive internal endpoints, such as cloud metadata services (e.g., AWS, GCP), which may contain credentials or configuration data.
  • Server-Side Reachability: The vulnerability can be used to confirm that the Kimai server can reach attacker-controlled infrastructure, which could be a precursor to more complex attacks.
  • Potential for Follow-on Exploitation: In certain environments, SSRF can be a stepping stone to more serious outcomes, such as triggering side effects on internal HTTP services or extracting sensitive information from services reachable only by the server.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top