CVE-2026-45342
Deferred Deferred - Pending Action
Insecure Direct Object Reference in LinkAce Prior to 2.5.6

Publication date: 2026-05-28

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains an Insecure Direct Object Reference vulnerability in the authorization policy layer that allows any authenticated user to modify resources owned by other users. The affected resource types are links, lists, tags, and notes. Both the web UI and the REST API are vulnerable. The root cause is in the update() methods of all four model policies: LinkPolicy, LinkListPolicy, TagPolicy, and NotePolicy. Each delegates to an access-check method (e.g., userCanAccessLink()) that returns true for any resource with non-private visibility, regardless of who owns it. This means any registered user can edit any public or internal resource across the entire instance. The delete() methods in the same policy files correctly require ownership via $link->user->is($user), which confirms that update was intended to be owner-only. The same flaw exists in the API layer through AuthorizesUserApiActions::userCanUpdateModel(), which mirrors the broken visibility-only check instead of the ownership check used by userCanDeleteModel(). Bulk edit operations via BulkEditController are also affected. This vulnerability is fixed in 2.5.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45342
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linkace linkace to 2.5.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by attempting to exploit the Insecure Direct Object Reference (IDOR) flaw in LinkAce version 2.5.5 or earlier. Specifically, an authenticated user can try to modify resources (links, lists, tags, or notes) owned by other users via the web UI or REST API.

One way to test is to send a PATCH request to update another user's resource, such as changing the URL of a link, and observe if the modification is allowed without ownership verification.

Example command using curl to test the REST API (replace placeholders accordingly):

  • curl -X PATCH https://your-linkace-instance/api/links/{target_link_id} -H "Authorization: Bearer {your_auth_token}" -H "Content-Type: application/json" -d '{"url": "http://malicious.example.com"}'

If the request succeeds in modifying a resource you do not own, the system is vulnerable.

Additionally, monitoring logs for unexpected PATCH requests modifying resources owned by other users can help detect exploitation attempts.

Executive Summary

This vulnerability is an Insecure Direct Object Reference (IDOR) in LinkAce versions prior to 2.5.6. It occurs in the authorization policy layer, allowing any authenticated user to modify resources owned by other users.

The affected resource types include links, lists, tags, and notes. Both the web user interface and the REST API are vulnerable.

The root cause is that the update() methods in the model policies check access based on resource visibility (public or internal) rather than ownership, allowing any registered user to edit any non-private resource regardless of ownership.

While delete operations correctly require ownership, update operations do not, leading to unauthorized modifications. Bulk edit operations are also affected.

This vulnerability was fixed in LinkAce version 2.5.6.

Impact Analysis

This vulnerability allows any authenticated user to modify resources (links, lists, tags, notes) owned by other users if those resources are not private.

As a result, unauthorized users could alter or corrupt data they do not own, potentially leading to data integrity issues, loss of trust, or misuse of shared information.

Since the vulnerability affects both the web UI and API, it increases the attack surface and risk of unauthorized changes.

Mitigation Strategies

The vulnerability is fixed in LinkAce version 2.5.6. The immediate step to mitigate this vulnerability is to upgrade your LinkAce installation to version 2.5.6 or later.

Compliance Impact

The vulnerability allows any authenticated user to modify resources owned by other users, including links, lists, tags, and notes, without proper ownership checks. This unauthorized modification capability could lead to unauthorized access and alteration of user data.

Such unauthorized access and modification of data may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information to ensure confidentiality, integrity, and accountability.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45342. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart