Kimai discloses eleven advisories in one late-night batch — a hardcoded Docker default secret enables full account takeover
The official Kimai Docker image has shipped `APP_SECRET=change_this_to_something_unique` as its default since inception, and nothing in the entrypoint script checks for or replaces that sentinel value; since Symfony uses `APP_SECRET` as `kernel.secret` to HMAC-sign remember-me cookies, login links, and CSRF tokens, any instance still running the default can have its authentication tokens forged by an unauthenticated attacker (CVE-2026-52824). A companion high-severity bug lets the pre-2FA `KIMAI_SESSION` cookie grant full authenticated REST API access before TOTP verification ever completes, and nine more medium authorization/CSRF bugs across timesheets, teams, and exports round out the batch. If you run Kimai's Docker image, check `/opt/kimai/.env.local` (or your container env) for the literal string `change_this_to_something_unique` and rotate it now — don't wait for the point release.