Skip to main content

Linkace CVE-2026-33954

| EUVDEUVD-2026-16870 MEDIUM
Improper Authorization (CWE-285)
2026-03-27 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.5.3
EUVD ID Assigned
Mar 27, 2026 - 22:00 euvd
EUVD-2026-16870
Analysis Generated
Mar 27, 2026 - 22:00 vuln.today
CVE Published
Mar 27, 2026 - 21:23 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

LinkAce is a self-hosted archive to collect website links. In versions prior to 2.5.3, a private note attached to a non-private link can be disclosed to a different authenticated user via the web interface. The API appears to correctly enforce note visibility, but the web link detail page renders notes without applying equivalent visibility filtering. As a result, an authenticated user who is allowed to view another user's internal or public link can read that user's private notes attached to the link. Version 2.5.3 patches the issue.

AnalysisAI

LinkAce versions before 2.5.3 disclose private notes to authenticated users via the web interface when viewing shared links, despite the API correctly enforcing note visibility restrictions. An authenticated user can read another user's private notes attached to internal or public links by accessing the web link detail page, resulting in unauthorized information disclosure. Version 2.5.3 patches this authorization bypass.

Technical ContextAI

LinkAce is a self-hosted web application for archiving and organizing website links. The vulnerability stems from inconsistent authorization logic between the REST API and the web interface view layer (CWE-285: Improper Authorization). While the API endpoint correctly filters notes based on visibility permissions, the web template rendering the link detail page fails to apply the same visibility checks before outputting note content to the browser. This is a classic case of authorization enforcement bypassed through an alternate interface-the API enforces the control correctly, but the web UI rendering layer does not validate that the authenticated user has permission to view the specific note being displayed. The affected product range covers LinkAce prior to version 2.5.3 as specified in CPE cpe:2.3:a:kovah:linkace:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patch: Upgrade LinkAce to version 2.5.3 or later. This version includes fixes to enforce note visibility filtering in the web interface, aligning the UI behavior with API authorization controls. Users should update their self-hosted installations immediately by obtaining the latest release from the LinkAce GitHub repository (https://github.com/Kovah/LinkAce) or consulting the security advisory at https://github.com/Kovah/LinkAce/security/advisories/GHSA-88h3-cq25-vw8q for step-by-step upgrade instructions. No workarounds are available for versions prior to 2.5.3; patching is the only mitigation.

CVE-2025-53838 HIGH POC
8.4 Sep 08

LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 8.4), this vulnerability is remotel

CVE-2024-56508 HIGH POC
7.6 Dec 27

LinkAce is a self-hosted archive to collect links of your favorite websites. Rated high severity (CVSS 7.6), this vulner

CVE-2025-59424 HIGH POC
7.3 Sep 18

LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 7.3), this vulnerability is remotel

CVE-2026-27458 MEDIUM POC
5.4 Feb 21

Stored XSS in LinkAce 2.4.2 and below allows authenticated users to inject malicious JavaScript through improperly sanit

CVE-2024-56507 MEDIUM POC
5.4 Dec 27

LinkAce is a self-hosted archive to collect links of your favorite websites. Rated medium severity (CVSS 5.4), this vuln

CVE-2026-45343 HIGH
8.5 May 28

Stored cross-site scripting in LinkAce prior to 2.5.6 allows a low-privilege OAuth-authenticated user to plant a persist

CVE-2026-33953 HIGH
8.5 Mar 27

Server-Side Request Forgery (SSRF) in LinkAce self-hosted link archival application allows authenticated users to bypass

CVE-2026-45344 HIGH
8.1 May 28

Remote code execution in LinkAce self-hosted link archive versions prior to 2.5.6 allows unauthenticated remote attacker

CVE-2026-30953 HIGH
7.7 Mar 10

Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network ad

CVE-2026-45342 HIGH
7.1 May 28

Cross-tenant resource tampering in LinkAce before 2.5.6 lets any authenticated user modify links, lists, tags, and notes

CVE-2026-35516 MEDIUM
5.0 Apr 07

Server-side request forgery (SSRF) in LinkAce prior to version 2.5.4 allows authenticated users to read responses from i

CVE-2026-30954 MEDIUM
4.3 Mar 10

LinkAce versions 2.1.0 and earlier allow authenticated users to inappropriately associate other users' private taxonomie

Share

CVE-2026-33954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy