THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-v8hx-4vx8-wc96 (high) — Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP

[GHSA] GHSA-v8hx-4vx8-wc96 (high) — Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP

highgithub_advisoriesPublished 2026-07-14

GHSA-v8hx-4vx8-wc96 Severity: high CVE: CVE-2026-52827

Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP

### Summary Two-factor authentication (TOTP) can be fully bypassed for the REST API. The `KIMAI_SESSION` cookie returned in the response to the login request; issued after only the password is verified, before the TOTP step; is already accepted as a

MITRE ATT&CK techniques

Indicators of compromise

Original source: https://github.com/advisories/GHSA-v8hx-4vx8-wc96