HarborGuard / CVE
Back to search
HIGHCVE-2026-45342Published Modified CNA GitHub_M

CVE-2026-45342: LinkAce: IDOR in Update Policies Allows Any Authenticated User to Overwrite Other Users' Links, Lists, Tags, and Notes

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains an Insecure Direct Object Reference vulnerability in the authorization policy layer that allows any authenticated user to modify resources owned by other users. The affected resource types are links, lists, tags, and notes. Both the web UI and the REST API are vulnerable. The root cause is in the update() methods of all four model policies: LinkPolicy, LinkListPolicy, TagPolicy, and NotePolicy. Each delegates to an access-check method (e.g., userCanAccessLink()) that returns true for any resource with non-private visibility, regardless of who owns it. This means any registered user can edit any public or internal resource across the entire instance. The delete() methods in the same policy files correctly require ownership via $link->user->is($user), which confirms that update was intended to be owner-only. The same flaw exists in the API layer through AuthorizesUserApiActions::userCanUpdateModel(), which mirrors the broken visibility-only check instead of the ownership check used by userCanDeleteModel(). Bulk edit operations via BulkEditController are also affected. This vulnerability is fixed in 2.5.6.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An Insecure Direct Object Reference (IDOR) vulnerability affects LinkAce, a self-hosted link archive application. Any authenticated user can send crafted requests over the network to modify links, lists, tags, and notes owned by other users, because the update authorization policy checks only whether a resource is publicly visible rather than whether the requesting user owns it. Successful exploitation lets an attacker overwrite or corrupt another user's stored content across the entire LinkAce instance. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-45342 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle LinkAce. Any image running a LinkAce version below 2.5.6 will be flagged automatically in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 7.1 (High) using the published v4.0 vector and surfaces it in the triage queue weighted against each environment's compliance policy. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream release is confirmed. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version appears.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the LinkAce web application or REST API over the network; there is no local-only attack path.

  • AuthenticationRequired

    Any low-privilege registered account is sufficient; no administrative or elevated credentials are needed.

  • Victim interactionNot required

    The attacker sends requests directly to the application; no action from the targeted user is needed.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: the attacker only needs a valid session and the numeric ID of the target resource, with no race conditions or memory layout dependencies.

Blast Radius

  • An attacker reads metadata and content of any non-private link, list, tag, or note across the entire instance, even those belonging to other users.
  • An attacker overwrites the URL, title, description, or tags on any public or internal link owned by another user, corrupting their archived data.
  • Bulk edit operations via BulkEditController allow mass modification of multiple resources in a single request, amplifying the scope of tampering.
  • The REST API surface mirrors the same broken authorization check, so automated scripts or integrations can exploit this without using the web UI.

How HarborGuard Handles This

Available on HarborGuard: images running LinkAce below version 2.5.6 are flagged as affected by this High-severity IDOR on every scan cycle. Because no upstream patch has been published yet, HarborGuard monitors the advisory on each ingest pass and will trigger a patched-image rebuild automatically as soon as a fix version is released. For customers with auto-remediation enabled, that flow includes a regression test run and a PR opened against affected workloads with no manual steps required. In the interim, consider compensating controls such as network-policy rules that restrict LinkAce access to trusted internal users only, disabling the REST API endpoint if it is not required, and enforcing stricter visibility settings (private by default) on all resources to reduce the pool of objects an authenticated attacker can target.

See how HarborGuard automates this

Metrics

CVSS v4.0
7.1
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • Kovah / LinkAce
    < 2.5.6
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
References