Skip to main content

LinkAce CVE-2026-45342

| EUVDEUVD-2026-33056 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-28 GitHub_M
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 29, 2026 - 00:00 vuln.today
Patch available
May 28, 2026 - 23:02 EUVD
CVSS changed
May 28, 2026 - 22:22 NVD
7.1 (HIGH)
CVE Published
May 28, 2026 - 20:47 nvd
UNKNOWN (no severity yet)

DescriptionGitHub Advisory

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains an Insecure Direct Object Reference vulnerability in the authorization policy layer that allows any authenticated user to modify resources owned by other users. The affected resource types are links, lists, tags, and notes. Both the web UI and the REST API are vulnerable. The root cause is in the update() methods of all four model policies: LinkPolicy, LinkListPolicy, TagPolicy, and NotePolicy. Each delegates to an access-check method (e.g., userCanAccessLink()) that returns true for any resource with non-private visibility, regardless of who owns it. This means any registered user can edit any public or internal resource across the entire instance. The delete() methods in the same policy files correctly require ownership via $link->user->is($user), which confirms that update was intended to be owner-only. The same flaw exists in the API layer through AuthorizesUserApiActions::userCanUpdateModel(), which mirrors the broken visibility-only check instead of the ownership check used by userCanDeleteModel(). Bulk edit operations via BulkEditController are also affected. This vulnerability is fixed in 2.5.6.

AnalysisAI

Cross-tenant resource tampering in LinkAce before 2.5.6 lets any authenticated user modify links, lists, tags, and notes belonging to other users whenever those resources have non-private visibility. The flaw exists in both the web UI and the REST API because the update() policy checks validate visibility instead of ownership, while delete() correctly enforces ownership. No public exploit identified at time of analysis, but the bug is trivially exploitable by any registered account on a vulnerable instance.

Technical ContextAI

LinkAce is a self-hosted PHP/Laravel application for archiving website links, identified by CPE cpe:2.3:a:kovah:linkace. The root cause is a CWE-639 Authorization Bypass Through User-Controlled Key: the update() methods of LinkPolicy, LinkListPolicy, TagPolicy, and NotePolicy all delegate to helpers such as userCanAccessLink() which return true for any non-private resource regardless of $resource->user. The same broken pattern is mirrored in the API layer via AuthorizesUserApiActions::userCanUpdateModel(), and the BulkEditController inherits the flaw, so bulk operations are similarly unauthorized. The contrast with the correctly-written delete() checks (which use $link->user->is($user)) confirms ownership was the intended invariant.

RemediationAI

Vendor-released patch: upgrade to LinkAce 2.5.6 or later, which corrects the update() and userCanUpdateModel() checks to enforce ownership in line with the delete() checks; see https://github.com/Kovah/LinkAce/security/advisories/GHSA-cj8f-h888-m57m. If immediate upgrade is not possible, the most effective compensating control is to disable public account registration and audit existing accounts so only trusted users remain, since exploitation requires an authenticated session; operators of single-user instances can place the application behind an authenticating reverse proxy or IP allowlist to prevent unknown accounts from existing at all. As an additional stopgap, set all links, lists, tags, and notes to 'private' visibility - the broken check returns true only for non-private resources - but this will break any intentional sharing and is a temporary measure only until 2.5.6 is deployed.

CVE-2025-53838 HIGH POC
8.4 Sep 08

LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 8.4), this vulnerability is remotel

CVE-2024-56508 HIGH POC
7.6 Dec 27

LinkAce is a self-hosted archive to collect links of your favorite websites. Rated high severity (CVSS 7.6), this vulner

CVE-2025-59424 HIGH POC
7.3 Sep 18

LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 7.3), this vulnerability is remotel

CVE-2026-27458 MEDIUM POC
5.4 Feb 21

Stored XSS in LinkAce 2.4.2 and below allows authenticated users to inject malicious JavaScript through improperly sanit

CVE-2024-56507 MEDIUM POC
5.4 Dec 27

LinkAce is a self-hosted archive to collect links of your favorite websites. Rated medium severity (CVSS 5.4), this vuln

CVE-2026-45343 HIGH
8.5 May 28

Stored cross-site scripting in LinkAce prior to 2.5.6 allows a low-privilege OAuth-authenticated user to plant a persist

CVE-2026-33953 HIGH
8.5 Mar 27

Server-Side Request Forgery (SSRF) in LinkAce self-hosted link archival application allows authenticated users to bypass

CVE-2026-45344 HIGH
8.1 May 28

Remote code execution in LinkAce self-hosted link archive versions prior to 2.5.6 allows unauthenticated remote attacker

CVE-2026-30953 HIGH
7.7 Mar 10

Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network ad

CVE-2026-33954 MEDIUM
6.5 Mar 27

LinkAce versions before 2.5.3 disclose private notes to authenticated users via the web interface when viewing shared li

CVE-2026-35516 MEDIUM
5.0 Apr 07

Server-side request forgery (SSRF) in LinkAce prior to version 2.5.4 allows authenticated users to read responses from i

CVE-2026-30954 MEDIUM
4.3 Mar 10

LinkAce versions 2.1.0 and earlier allow authenticated users to inappropriately associate other users' private taxonomie

Share

CVE-2026-45342 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy