CVE-2026-40905
Password Reset Poisoning in LinkAce Allows Account Takeover
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linkace | linkace | to 2.5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in LinkAce versions prior to 2.5.4 and involves a password reset poisoning issue caused by improper trust of user-controlled HTTP headers.
Specifically, the application uses the X-Forwarded-Host header when generating password reset URLs. An attacker can manipulate this header during a password reset request to inject a malicious domain into the reset link sent via email.
As a result, the victim receives a password reset email containing a link pointing to an attacker-controlled domain. When the victim clicks this link, the password reset token is sent to the attacker, who can then use it to reset the victim's password and take over their account.
How can this vulnerability impact me? :
This vulnerability can lead to a full account takeover by an attacker.
By capturing the password reset token through a maliciously crafted reset link, an attacker can reset the victim's password and gain unauthorized access to their account.
This compromises the confidentiality and integrity of the victim's account and any data or services accessible through it.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in LinkAce version 2.5.4. The immediate step to mitigate this vulnerability is to upgrade your LinkAce installation to version 2.5.4 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to perform a password reset poisoning attack, leading to full account takeover by capturing password reset tokens.
Such unauthorized access to user accounts can result in exposure of personal or sensitive data, which may violate data protection regulations like GDPR or HIPAA.
Therefore, if exploited, this vulnerability could lead to non-compliance with standards requiring protection of user data and secure authentication mechanisms.