Linkwarden
CVE-2026-44313
CRITICAL
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. Prior to version 2.13.0, a Server-Side Request Forgery (SSRF) vulnerability in the fetchTitleAndHeaders function allows authenticated users to make arbitrary HTTP requests to internal services due to insufficient URL validation that only checks for "http://" or "https://" prefixes. This issue has been patched in version 2.13.0.
AnalysisAI
Server-Side Request Forgery in Linkwarden's fetchTitleAndHeaders function enables authenticated users to perform arbitrary HTTP requests against internal services and infrastructure. The vulnerability stems from inadequate URL validation that only verifies protocol prefixes (http:// or https://) without blocking internal address spaces, allowing attackers to scan internal networks, access metadata endpoints (e.g., cloud provider instance metadata), and potentially exfiltrate sensitive data from services not exposed to the internet. Exploitation requires only low-privilege authentication (PR:L) and can impact resources beyond the vulnerable application's security scope (S:C). Patched in version 2.13.0.
Technical ContextAI
Linkwarden is a self-hosted collaborative bookmark manager built as a web application. The vulnerable fetchTitleAndHeaders function, likely used to retrieve webpage metadata when users add bookmarks, accepts user-controlled URLs without proper validation or allowlist enforcement. The function performs server-side HTTP requests to fetch title and header information, but only validates that URLs begin with http:// or https:// - failing to block RFC 1918 private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback addresses (127.0.0.0/8), link-local addresses (169.254.0.0/16), or cloud metadata endpoints (169.254.169.254). CWE-918 (Server-Side Request Forgery) occurs when applications make HTTP requests based on user input without validating the destination against an allowlist of permitted hosts. The Changed scope (S:C) in the CVSS vector indicates the vulnerability can impact resources outside Linkwarden's authorization boundary, such as internal databases, admin panels, or AWS/Azure/GCP metadata services accessible from the server's network context.
RemediationAI
Upgrade immediately to Linkwarden version 2.13.0 or later, which implements proper URL validation to prevent internal network access. Download from the official GitHub repository at https://github.com/linkwarden/linkwarden or update Docker images to tag 2.13.0+. For environments unable to upgrade immediately, implement network-level egress filtering to block Linkwarden's server process from accessing internal IP ranges: deny outbound connections to 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16, and ::1/128 (IPv6 loopback). Cloud deployments should apply IMDSv2 enforcement on EC2 instances (AWS) or equivalent metadata service protections (Azure, GCP) to mitigate credential theft via 169.254.169.254 access. Note that egress filtering may break legitimate functionality if Linkwarden needs to fetch bookmarks from internal corporate web applications - assess organizational use cases before implementing. Audit existing user accounts for potentially malicious low-privilege users created specifically for exploitation. Review application logs for suspicious fetchTitleAndHeaders requests targeting internal IP addresses or metadata endpoints as indicators of prior exploitation attempts.
More in Linkwarden
View allSame weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today