THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-jr9p-4h4j-6c58 (critical) — Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover

[GHSA] GHSA-jr9p-4h4j-6c58 (critical) — Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover

highgithub_advisoriesPublished 2026-07-14

GHSA-jr9p-4h4j-6c58 Severity: critical CVE: CVE-2026-52824

Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover

### Summary

The official Kimai Docker image ships with `APP_SECRET=change_this_to_something_unique` as the default environment variable. The Docker entrypoint does not override or validate this value. Any Kimai instance deployed using the Docker image

Indicators of compromise

Original source: https://github.com/advisories/GHSA-jr9p-4h4j-6c58