CVE-2026-45344
Remote Code Execution in LinkAce via Mail Configuration Injection
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linkace | linkace | to 2.5.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in LinkAce versions prior to 2.5.6 during the setup database configuration flow on uninitialized instances. The setup process accepts database credential fields controlled by an attacker and writes them into the .env configuration file without proper escaping. If a remote attacker can access the setup endpoints and supply a database they control, they can inject mail configuration variables. This injection can lead to command execution when the application later sends mail.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a remote attacker to achieve command execution by injecting mail configuration variables through the setup database configuration flow. Such unauthorized command execution and potential data manipulation or exposure could lead to violations of data protection and security requirements mandated by standards like GDPR and HIPAA.
Specifically, the compromise of database credentials and mail configuration could result in unauthorized access to sensitive personal or health information, undermining confidentiality, integrity, and availability controls required by these regulations.
Therefore, organizations using vulnerable versions of LinkAce prior to 2.5.6 may face compliance risks if this vulnerability is exploited.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying uninitialized LinkAce instances that accept attacker-controlled database credentials during setup and checking for malicious entries in the .env file.
One approach is to verify if the LinkAce instance version is 2.5.5 or earlier and if the setup endpoints are accessible without authentication.
You can check the .env file for suspicious or unexpected environment variables, especially those related to mail configuration that may have been injected.
- Check the LinkAce version: `grep 'version' /path/to/linkace/version` or check the application metadata.
- Verify if the .env file contains suspicious mail configuration variables or newline injections: `cat /path/to/linkace/.env | grep -E 'MAIL_|\n'`
- Scan network traffic for requests to the setup endpoints that include database credential fields, which could indicate exploitation attempts.
- Use web server logs to identify POST requests to setup endpoints from suspicious IPs.
How can this vulnerability impact me? :
The vulnerability allows a remote attacker to execute arbitrary commands on the server running LinkAce by injecting malicious mail configuration variables during setup. This can lead to full compromise of the application, including unauthorized access, data theft, or disruption of service.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in LinkAce version 2.5.6. Immediate mitigation involves upgrading any affected LinkAce instances to version 2.5.6 or later.
Additionally, restrict access to the setup endpoints on uninitialized LinkAce instances to prevent remote attackers from supplying malicious database credentials.