Kimai tracks working time and billing-related metadata, so confidentiality and session integrity are critical. Keep Kimai patched and harden role permissions around export and reporting.
- Upgrade promptly when security advisories are published.
- Ensure version is newer than known vulnerable branches (for example 2.16.0+ and 2.46.0+ for published advisories).
- Test plugin compatibility in staging before production upgrades.
- Track upstream release notes for security fixes.
¶ 2) Restrict roles, exports, and API tokens
- Apply least privilege for export/report permissions.
- Limit admin and finance roles to dedicated staff.
- Rotate API tokens and remove stale personal access tokens.
- Restrict anonymous/public access entirely for internal deployments.
- Force HTTPS, secure cookies, and strict session settings.
- Keep MariaDB/MySQL private and not internet-accessible.
- Patch PHP and web server dependencies regularly.
- Back up DB and uploaded assets with restore testing.
- Kimai documentation: https://www.kimai.org/documentation/
- Kimai source repository: https://github.com/kimai/kimai
- Kimai security policy: https://github.com/kimai/kimai/security/policy
- Kimai advisory example (GHSA-jg2j-2w24-54cg): https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg
Any questions?
Feel free to contact us. Find all contact information on our contact page.