CVE-2026-30953
📋 TL;DR
This vulnerability allows attackers to make server-side requests to internal network resources when creating links in LinkAce. It affects all LinkAce instances where users can create links, potentially exposing internal services, Docker hosts, and cloud metadata. The issue exists because the NoPrivateIpRule validation isn't applied to the main link creation endpoint.
💻 Affected Systems
- LinkAce
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete internal network compromise via SSRF leading to credential theft, lateral movement, and cloud metadata exposure enabling full account takeover.
Likely Case
Information disclosure of internal services, Docker container enumeration, and potential access to sensitive internal APIs or cloud metadata.
If Mitigated
Limited to public internet resources only, preventing internal network reconnaissance and data exfiltration.
🎯 Exploit Status
Exploitation requires authenticated access to create links. The advisory includes proof-of-concept details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.6.0
Vendor Advisory: https://github.com/Kovah/LinkAce/security/advisories/GHSA-f2mp-q78r-7jx7
Restart Required: Yes
Instructions:
1. Update LinkAce to version 2.6.0 or later. 2. Restart the web server/service. 3. Verify the NoPrivateIpRule is now applied to POST /links endpoint.
🔧 Temporary Workarounds
Disable link creation
allTemporarily disable the ability for users to create new links via the web interface.
Network segmentation
allRestrict outbound network access from the LinkAce server to only required external services.
🧯 If You Can't Patch
- Implement strict network egress filtering to block the LinkAce server from accessing internal IP ranges (RFC 1918, Docker, cloud metadata endpoints).
- Deploy a web application firewall (WAF) with SSRF protection rules to block requests to private IP addresses.
🔍 How to Verify
Check if Vulnerable:
Check if LinkAce version is below 2.6.0. Test by attempting to create a link with URL pointing to internal IP (e.g., http://169.254.169.254) and observing if metadata fetch succeeds.Check Version:
Check LinkAce admin panel or composer.json for version number.Verify Fix Applied:
After updating to v2.6.0+, attempt to create a link with internal IP URL and verify it's rejected with validation error.📡 Detection & Monitoring
Log Indicators:
- HTTP requests from LinkAce server to internal IP addresses (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints (169.254.169.254, 169.254.170.2)
- Failed validation attempts for private IP URLs in application logs
Network Indicators:
- Outbound connections from LinkAce server to internal network ranges
- HTTP requests to Docker bridge networks (172.17.x.x)
SIEM Query:
source="linkace-logs" AND (url="*10.*" OR url="*172.16.*" OR url="*192.168.*" OR url="*169.254.*")