CVE-2026-45342
Insecure Direct Object Reference in LinkAce Prior to 2.5.6
Publication date: 2026-05-28
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linkace | linkace | to 2.5.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object Reference (IDOR) in LinkAce versions prior to 2.5.6. It occurs in the authorization policy layer, allowing any authenticated user to modify resources owned by other users.
The affected resource types include links, lists, tags, and notes. Both the web user interface and the REST API are vulnerable.
The root cause is that the update() methods in the model policies check access based on resource visibility (public or internal) rather than ownership, allowing any registered user to edit any non-private resource regardless of ownership.
While delete operations correctly require ownership, update operations do not, leading to unauthorized modifications. Bulk edit operations are also affected.
This vulnerability was fixed in LinkAce version 2.5.6.
How can this vulnerability impact me? :
This vulnerability allows any authenticated user to modify resources (links, lists, tags, notes) owned by other users if those resources are not private.
As a result, unauthorized users could alter or corrupt data they do not own, potentially leading to data integrity issues, loss of trust, or misuse of shared information.
Since the vulnerability affects both the web UI and API, it increases the attack surface and risk of unauthorized changes.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in LinkAce version 2.5.6. The immediate step to mitigate this vulnerability is to upgrade your LinkAce installation to version 2.5.6 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows any authenticated user to modify resources owned by other users, including links, lists, tags, and notes, without proper ownership checks. This unauthorized modification capability could lead to unauthorized access and alteration of user data.
Such unauthorized access and modification of data may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information to ensure confidentiality, integrity, and accountability.
However, the provided information does not explicitly state the direct impact on compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the Insecure Direct Object Reference (IDOR) flaw in LinkAce version 2.5.5 or earlier. Specifically, an authenticated user can try to modify resources (links, lists, tags, or notes) owned by other users via the web UI or REST API.
One way to test is to send a PATCH request to update another user's resource, such as changing the URL of a link, and observe if the modification is allowed without ownership verification.
Example command using curl to test the REST API (replace placeholders accordingly):
- curl -X PATCH https://your-linkace-instance/api/links/{target_link_id} -H "Authorization: Bearer {your_auth_token}" -H "Content-Type: application/json" -d '{"url": "http://malicious.example.com"}'
If the request succeeds in modifying a resource you do not own, the system is vulnerable.
Additionally, monitoring logs for unexpected PATCH requests modifying resources owned by other users can help detect exploitation attempts.