CVE-2026-33954
Received Received - Intake
Information Disclosure in LinkAce Web Interface Allows Private Note Access

Publication date: 2026-03-27

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
LinkAce is a self-hosted archive to collect website links. In versions prior to 2.5.3, a private note attached to a non-private link can be disclosed to a different authenticated user via the web interface. The API appears to correctly enforce note visibility, but the web link detail page renders notes without applying equivalent visibility filtering. As a result, an authenticated user who is allowed to view another user's `internal` or `public` link can read that user's `private` notes attached to the link. Version 2.5.3 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33954
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linkace linkace to 2.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects LinkAce, a self-hosted archive for collecting website links, in versions prior to 2.5.3. It allows an authenticated user to view private notes attached to non-private links belonging to other users via the web interface. Although the API enforces note visibility correctly, the web link detail page does not apply the same visibility filtering, leading to unintended disclosure of private notes.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of private notes between authenticated users. If you are using a vulnerable version of LinkAce, other authenticated users who have access to your non-private links could read your private notes attached to those links, potentially exposing sensitive or confidential information.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade LinkAce to version 2.5.3 or later, as this version patches the issue where private notes attached to non-private links could be disclosed to other authenticated users via the web interface.

Compliance Impact

This vulnerability allows an authenticated user to access private notes attached to links that they should not be able to see. Such unauthorized disclosure of private information can lead to violations of data privacy and protection requirements.

As a result, organizations using affected versions of LinkAce may face challenges in complying with standards and regulations like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33954. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart