Description
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains an Insecure Direct Object Reference vulnerability in the authorization policy layer that allows any authenticated user to modify resources owned by other users. The affected resource types are links, lists, tags, and notes. Both the web UI and the REST API are vulnerable. The root cause is in the update() methods of all four model policies: LinkPolicy, LinkListPolicy, TagPolicy, and NotePolicy. Each delegates to an access-check method (e.g., userCanAccessLink()) that returns true for any resource with non-private visibility, regardless of who owns it. This means any registered user can edit any public or internal resource across the entire instance. The delete() methods in the same policy files correctly require ownership via $link->user->is($user), which confirms that update was intended to be owner-only. The same flaw exists in the API layer through AuthorizesUserApiActions::userCanUpdateModel(), which mirrors the broken visibility-only check instead of the ownership check used by userCanDeleteModel(). Bulk edit operations via BulkEditController are also affected. This vulnerability is fixed in 2.5.6.
Published: 2026-05-28
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference that permits any authenticated user to update link, list, tag, and note resources belonging to other users if the resources are public or internally visible. The flaw resides in the update methods of the policies that mistakenly grant access based on visibility, not ownership, thus allowing attackers to overwrite content across the entire instance. The attack could lead to unauthorized data modification, reputational damage, and potential compromise of organizational knowledge bases.

Affected Systems

This issue affects Kovah's LinkAce application in versions older than 2.5.6. It impacts both the web user interface and REST API, and also interferes with bulk edit operations handled by BulkEditController. Systems running any release prior to 2.5.6 are vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity for authenticated users. EPSS data is not available, so the exact exploitation probability is uncertain, but the lack of a KEV listing does not reduce the risk of exploitation. The attack requires legitimate login credentials, after which any public or internally visible resource can be arbitrarily modified. The flaw is not mitigated by role restrictions alone; only ownership checks would prevent the abuse.

Generated by OpenCVE AI on May 28, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch to reach version 2.5.6 or newer, which corrects the policy checks for updates.
  • Restrict resource visibility to private until an update is applied, thereby eliminating the ability for other authenticated users to modify them.
  • If an immediate upgrade is not feasible, consider disabling bulk edit functionality as a temporary measure to reduce the attack surface.

Generated by OpenCVE AI on May 28, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Kovah
Kovah linkace
Vendors & Products Kovah
Kovah linkace

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains an Insecure Direct Object Reference vulnerability in the authorization policy layer that allows any authenticated user to modify resources owned by other users. The affected resource types are links, lists, tags, and notes. Both the web UI and the REST API are vulnerable. The root cause is in the update() methods of all four model policies: LinkPolicy, LinkListPolicy, TagPolicy, and NotePolicy. Each delegates to an access-check method (e.g., userCanAccessLink()) that returns true for any resource with non-private visibility, regardless of who owns it. This means any registered user can edit any public or internal resource across the entire instance. The delete() methods in the same policy files correctly require ownership via $link->user->is($user), which confirms that update was intended to be owner-only. The same flaw exists in the API layer through AuthorizesUserApiActions::userCanUpdateModel(), which mirrors the broken visibility-only check instead of the ownership check used by userCanDeleteModel(). Bulk edit operations via BulkEditController are also affected. This vulnerability is fixed in 2.5.6.
Title LinkAce: IDOR in Update Policies Allows Any Authenticated User to Overwrite Other Users' Links, Lists, Tags, and Notes
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Kovah Linkace
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T14:45:49.796Z

Reserved: 2026-05-11T21:40:08.177Z

Link: CVE-2026-45342

cve-icon Vulnrichment

Updated: 2026-05-29T14:45:43.404Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T22:17:00.227

Modified: 2026-05-29T16:16:28.007

Link: CVE-2026-45342

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T22:30:28Z

Weaknesses