Description
LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL (LinkRepository::create() calls HtmlMeta::getFromUrl()). The LinkStoreRequest validation rules do not include NoPrivateIpRule, allowing server-side requests to internal network addresses, Docker service hostnames, and cloud metadata endpoints. The project already has a NoPrivateIpRule class (app/Rules/NoPrivateIpRule.php) but it is only applied in FetchController.php (line 99), not in the primary link creation path.
Published: 2026-03-10
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Server-side Request Forgery
Action: Apply Patch
AI Analysis

Impact

A Server-Steal request-forgery flaw in the LinkAce application allows a user who submits a new link via POST /links to trigger the server to fetch HTML metadata from an arbitrary URL. The LinkStoreRequest validation rules omit the NoPrivateIpRule, so the server may request internal network addresses, Docker hostnames, or cloud metadata services. This flaw is identified as CWE-918, giving an attacker the ability to read internal network resources, exfiltrate sensitive data, or potentially pivot to further attacks. The CVSS base score of 7.7 indicates high severity.

Affected Systems

The affected product is Kovah's LinkAce, a self‑hosted link aggregation platform. No version identifier is supplied; as the issue is present in the default link creation path, all installed instances that have not upgraded to a version where the NoPrivateIpRule is applied to LinkStoreRequest are potentially vulnerable.

Risk and Exploitability

The vulnerability has a low EPSS probability (<1%) and is not listed in the CISA KEV catalog, but the high CVSS score signals significant potential impact. Exploitation is likely straightforward: a malicious or compromised user can issue a crafted POST /links request embedding an attacker‑controlled URL that resolves to a private IP or internal service. No authentication requirement is noted in the description, implying that any user who can access the link creation endpoint could exploit it. Attack success depends on the target environment having reachable internal services; if the target network is already isolated, the practical impact may be reduced.

Generated by OpenCVE AI on March 17, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Patch from Kovah that enforces NoPrivateIpRule in LinkStoreRequest. If no patch is available, update the Request class to include NoPrivateIpRule before metadata fetch. Block or filter internal network addresses in your reverse proxy or firewall to prevent outbound connections to private IP ranges. Monitor LinkAce logs for unexpected link creation attempts and validate fetched URLs against a whitelist of allowed domains. Refer to the official advisory at https://github.com/Kovah/LinkAce/security/advisories/GHSA-f2mp-q78r-7jx7 for further guidance.

Generated by OpenCVE AI on March 17, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Linkace
Linkace linkace
CPEs cpe:2.3:a:linkace:linkace:*:*:*:*:*:*:*:*
Vendors & Products Linkace
Linkace linkace

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Kovah
Kovah linkace
Vendors & Products Kovah
Kovah linkace

Tue, 10 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL (LinkRepository::create() calls HtmlMeta::getFromUrl()). The LinkStoreRequest validation rules do not include NoPrivateIpRule, allowing server-side requests to internal network addresses, Docker service hostnames, and cloud metadata endpoints. The project already has a NoPrivateIpRule class (app/Rules/NoPrivateIpRule.php) but it is only applied in FetchController.php (line 99), not in the primary link creation path.
Title LinkAce affected by SSRF via link creation: NoPrivateIpRule not applied to LinkStoreRequest
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Kovah Linkace
Linkace Linkace
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T14:37:18.597Z

Reserved: 2026-03-07T17:34:39.980Z

Link: CVE-2026-30953

cve-icon Vulnrichment

Updated: 2026-03-11T14:37:11.629Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T21:16:48.347

Modified: 2026-03-17T16:13:30.093

Link: CVE-2026-30953

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:33:57Z

Weaknesses