LinkAce 2.1.0 and earlier contain a flaw in the processTaxonomy() method of LinkRepository.php that allows any authenticated user to attach private tags and lists belonging to other users to their own links by supplying integer IDs. This grants the malicious user the ability to associate or expose another user’s private organizational data, effectively bypassing intended per-user isolation. The weakness is a classic Insecure Direct Object Reference (CWE‑639) and results in unauthorized data manipulation rather than direct system compromise.

The affected product is Kovah’s LinkAce. All releases prior to and including version 2.1.0 are impacted, as they include the vulnerable processTaxonomy() implementation. The exact patch version is not specified in the advisory, but any release subsequent to 2.1.0 that removes or restricts the ID reference should resolve the issue.

The CVSS v3.1 score for this issue is 5.3, indicating a moderate severity. EPSS is reported at less than 1 %, suggesting a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a valid authenticated session and access to the vulnerable endpoint; therefore, only legitimate users can trigger the IDOR. Attackers would send requests with manipulated tag or list identifiers to attach the target’s private items to their own records. Because the flaw lies in the business‑logic layer, the attack is feasible for any user with normal privileges on the affected instance.