CVE-2026-35516

Summary

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by creating a link with a public URL and then updating it to a private IP. The links:check cron job makes the request server-side without IP filtering. This can expose cloud credentials, internal service data, and network topology. This vulnerability is fixed in 2.5.4.

Affected Software

VendorProductVersion RangeStatus
KovahLinkAce< 2.5.4affected

Weaknesses

  • CWE-918: CWE-918: Server-Side Request Forgery (SSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References