Executive Summary

CVE-2026-35516 is a Server-Side Request Forgery (SSRF) vulnerability in the Kovah/LinkAce package affecting versions up to 2.5.3. It occurs because the update mechanism for links does not properly validate URLs for private IP addresses, unlike the link creation process which does. This allows an authenticated user to create a link with a public URL and then update it to a private IP address without triggering IP filtering.

When the scheduled cron job runs, it makes server-side HTTP HEAD requests to the updated link URLs without checking if they point to private IPs. This enables the attacker to make the server access internal services such as AWS Instance Metadata Service (IMDSv1), cloud metadata, or internal APIs, potentially exposing sensitive internal data.

The vulnerability is fixed in version 2.5.4 by adding IP validation during link updates and adding IP filtering in the link checking process.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated user to exploit the server to access internal network resources that are normally inaccessible externally. Specifically, it can expose sensitive information such as cloud credentials, internal service data, and network topology.

• Exposure of AWS Instance Metadata Service (IMDSv1) data, which can include cloud credentials.
• Access to cloud metadata and internal APIs that may contain confidential information.
• Disclosure of internal network structure and topology.

Overall, this can lead to unauthorized information disclosure and potential further compromise of internal systems.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious link updates that point to private IP addresses, especially those targeting internal services such as AWS IMDS or cloud metadata endpoints.

One way to detect exploitation attempts is to check the status of links after they have been updated. If the link status endpoint returns "status": "ok" for URLs pointing to private IPs, it indicates that the server is making requests to internal resources.

Suggested commands to detect this vulnerability include querying the LinkAce database or API for links with private IP addresses and checking the logs or cron job outputs for HEAD requests to internal IPs.

• Query the database for links with private IPs, e.g., using SQL: SELECT * FROM links WHERE url LIKE 'http://10.%' OR url LIKE 'http://192.168.%' OR url LIKE 'http://169.254.%';
• Check the status endpoint for suspicious links: curl -X GET http://your-linkace-instance/api/links/{link_id}/status
• Review server logs or cron job logs for HEAD requests to private IP addresses.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation is to upgrade LinkAce to version 2.5.4 or later, where the vulnerability is fixed by adding IP validation during link updates and enforcing IP filtering in the link checking cron job.

If upgrading immediately is not possible, restrict authenticated users from updating links to private IP addresses by implementing manual checks or temporary access controls.

Additionally, consider disabling or restricting the links:check cron job until the fix is applied to prevent server-side requests to internal services.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an authenticated user to perform Server-Side Request Forgery (SSRF) to access internal services and sensitive data such as cloud credentials, internal APIs, and network topology. Exposure of such sensitive information could lead to unauthorized data access or breaches.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the potential exposure of sensitive internal data and cloud credentials could result in violations of data protection and privacy regulations if exploited, as these regulations require safeguarding sensitive and personal data from unauthorized access.

Useful 0 Not Useful 0