Description
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by creating a link with a public URL and then updating it to a private IP. The links:check cron job makes the request server-side without IP filtering. This can expose cloud credentials, internal service data, and network topology. This vulnerability is fixed in 2.5.4.
Published: 2026-04-07
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Internal Information Disclosure
Action: Patch
AI Analysis

Impact

LinkAce, a self-hosted link archive, has a Server‑Side Request Forgery flaw because certain code paths avoid checking for private IP addresses. The vulnerability allows an authenticated user to craft or update a link URL so that a background cron job fetches data from an internal service or cloud metadata endpoint. As a result, sensitive internal information—such as cloud credentials, internal APIs, and network topology—can be exposed. The weakness is classified as CWE‑918.

Affected Systems

The flaw affects all installations of Kovah's LinkAce application up to, but not including, version 2.5.4. Versions prior to 2.5.4 lack the IP‑address validation in both the LinkRepository::update method and the CheckLinksCommand::checkLink scheduler task.

Risk and Exploitability

The CVSS score of 5.0 reflects moderate severity. Exploitation requires legitimate authentication to the application and the ability to create or update a link, and it is performed server‑side by a cron job. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation yet. Nonetheless, the potential to expose cloud metadata or internal services warrants prompt attention.

Generated by OpenCVE AI on April 7, 2026 at 22:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LinkAce to version 2.5.4 or later.
  • If an upgrade is not immediately possible, disable or modify the links:check cron job to reject private IP ranges.
  • Configure network firewalls to block outbound connections from the application to private IP addresses.
  • Enforce the use of IMDSv2 if running on AWS to mitigate unauthorized metadata access.

Generated by OpenCVE AI on April 7, 2026 at 22:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Kovah
Kovah linkace
Vendors & Products Kovah
Kovah linkace

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by creating a link with a public URL and then updating it to a private IP. The links:check cron job makes the request server-side without IP filtering. This can expose cloud credentials, internal service data, and network topology. This vulnerability is fixed in 2.5.4.
Title LinkAce has SSRF via CheckLinksCommand - Link URL Update Bypasses laravel-html-meta Protection
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Kovah Linkace
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T15:14:45.891Z

Reserved: 2026-04-03T02:15:39.280Z

Link: CVE-2026-35516

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T16:16:27.937

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-35516

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:48:25Z

Weaknesses