THREAT OPS › Threat News › [GHSA] GHSA-jr9p-4h4j-6c58 (critical) — Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover
[GHSA] GHSA-jr9p-4h4j-6c58 (critical) — Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover
GHSA-jr9p-4h4j-6c58 Severity: critical CVE: CVE-2026-52824
Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover
### Summary
The official Kimai Docker image ships with `APP_SECRET=change_this_to_something_unique` as the default environment variable. The Docker entrypoint does not override or validate this value. Any Kimai instance deployed using the Docker image
Indicators of compromise
- CVE-2026-52824cve
- https://www.kimai.org/en/security/ghsa-jr9p-4h4j-6c58url
Original source: https://github.com/advisories/GHSA-jr9p-4h4j-6c58