CVE-2026-33954 - Vulnerability Details

- LinkAce discloses private notesto unauthorized authenticated users via the web link detail page

Description

LinkAce is a self-hosted archive to collect website links. In versions prior to 2.5.3, a private note attached to a non-private link can be disclosed to a different authenticated user via the web interface. The API appears to correctly enforce note visibility, but the web link detail page renders notes without applying equivalent visibility filtering. As a result, an authenticated user who is allowed to view another user's `internal` or `public` link can read that user's `private` notes attached to the link. Version 2.5.3 patches the issue.

Published: 2026-03-27

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the web interface of LinkAce allows an authenticated user to view private notes attached to a non‑private link owned by another user. The note content is rendered without applying the same visibility checks as the API, resulting in disclosure of confidential information. This weakness, classified as CWE-285, enables an attacker with any user account to read private data belonging to other users, violating confidentiality.

Affected Systems

The affected product is LinkAce from Kovah. Versions earlier than 2.5.3 are vulnerable. Version 2.5.3 and later contain a fix that correctly enforces note visibility on the web link detail page.

Risk and Exploitability

The CVSS base score is 6.5, indicating a moderate severity, and the EPSS score is below 1%, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalogue. Exploitation requires only an authenticated user with access to the web interface; the attacker does not need elevated privileges or code execution. Consequently, any legitimate user can readily trigger the data disclosure by visiting a link’s detail page, making the risk significant for organizations that rely on private notes for sensitive information.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Kovah

LinkAce

affected

Version	Status	Constraints
`< 2.5.3`	affected	—

Configuration 1 [-]

cpe:2.3:a:linkace:linkace:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Kovah

Linkace

100%

Version	Status	Scheme	Platform
`[0,2.5.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade LinkAce to version 2.5.3 or later to apply the patch that enforces correct note visibility.
Verify that the web interface correctly filters note visibility for private notes after the upgrade.
If an upgrade is not immediately possible, restrict users from accessing link detail pages that contain private notes until a fix is deployed.
Monitor application logs for attempts to view private notes by unauthorized users and remediate any incidents promptly.

Generated by OpenCVE AI on March 31, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Kovah/LinkAce/security/advisories/GHSA-88h3-cq25-vw8q

History

Tue, 31 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linkace Linkace linkace
CPEs		cpe:2.3:a:linkace:linkace::::::::
Vendors & Products		Linkace Linkace linkace

Mon, 30 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kovah Kovah linkace
Vendors & Products		Kovah Kovah linkace

Sat, 28 Mar 2026 03:15:00 +0000

Type	Values Removed	Values Added
Description		LinkAce is a self-hosted archive to collect website links. In versions prior to 2.5.3, a private note attached to a non-private link can be disclosed to a different authenticated user via the web interface. The API appears to correctly enforce note visibility, but the web link detail page renders notes without applying equivalent visibility filtering. As a result, an authenticated user who is allowed to view another user's `internal` or `public` link can read that user's `private` notes attached to the link. Version 2.5.3 patches the issue.
Title		LinkAce discloses private notesto unauthorized authenticated users via the web link detail page
Weaknesses		CWE-285
References		https://github.com/Kovah/LinkAce/security/advisories/GHSA-88h3-cq25-vw8q
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Kovah Linkace

Linkace Linkace

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-27T21:23:30.148Z

Updated: 2026-03-27T21:57:41.206Z

Reserved: 2026-03-24T19:50:52.106Z

Link: CVE-2026-33954

Vulnrichment

Updated: 2026-03-27T21:57:38.150Z

NVD

Status : Analyzed

Published: 2026-03-27T22:16:21.917

Modified: 2026-03-31T18:03:35.643

Link: CVE-2026-33954

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-31T20:00:38Z

Weaknesses

CWE-285

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object