How is CVE-2026-45344 exploited?

Network reachability (required): The attacker must reach the LinkAce setup endpoint over the network; only internet-exposed or network-reachable uninitialized instances are at risk. Authentication (not-required): No account or credentials are needed; the setup endpoint is publicly accessible on uninitialized instances by design. Victim interaction (not-required): No user action is required; the attacker sends crafted HTTP requests directly to the setup endpoint. Attack complexity (info): Exploitation requires the attacker to control a database server and wait for the application to send mail, introducing environmental dependencies that make reliable exploitation harder.

What is the impact of CVE-2026-45344?

The attacker executes arbitrary operating-system commands in the context of the LinkAce application process. Successful command execution exposes all stored link archives, user account data, and any secrets held in the application environment. The attacker can modify or delete persisted database records, corrupting the link archive. The attacker can crash or permanently disable the LinkAce service by terminating the application process or destroying its configuration.

Back to search

HIGHCVE-2026-45344Published 2026-05-28Modified 2026-05-28CNA GitHub_M

CVE-2026-45344: LinkAce: Setup database password newline injection enables pre-auth RCE on uninitialized instances

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup endpoints and supply a database they control can inject mail configuration variables and achieve command execution when the application later sends mail. This vulnerability is fixed in 2.5.6.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Newline injection in the setup database-password field affects LinkAce, a self-hosted link archive application. A remote attacker with no authentication can reach the setup endpoint on any uninitialized instance over the network and supply a crafted database password that injects arbitrary lines into the application's .env configuration file, including mail-handler directives. Once the application sends mail, those injected directives execute attacker-supplied commands, achieving remote code execution. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-45344 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that package LinkAce.

Available

Triage

HarborGuard scores this CVE at CVSS 8.1 (HIGH) and weights it further against each environment's compliance policy, then routes the finding to the appropriate team inbox within the customer org.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream project ships a fix; for customers with auto-remediation enabled, that rebuild will trigger a regression run and open a PR against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the LinkAce setup endpoint over the network; only internet-exposed or network-reachable uninitialized instances are at risk.
AuthenticationNot required
No account or credentials are needed; the setup endpoint is publicly accessible on uninitialized instances by design.
Victim interactionNot required
No user action is required; the attacker sends crafted HTTP requests directly to the setup endpoint.
Attack complexityDetail
Exploitation requires the attacker to control a database server and wait for the application to send mail, introducing environmental dependencies that make reliable exploitation harder.

Blast Radius

The attacker executes arbitrary operating-system commands in the context of the LinkAce application process.
Successful command execution exposes all stored link archives, user account data, and any secrets held in the application environment.
The attacker can modify or delete persisted database records, corrupting the link archive.
The attacker can crash or permanently disable the LinkAce service by terminating the application process or destroying its configuration.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45344 is active across all customer environments scanning images that include LinkAce. Because no upstream fix version exists yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically once the project publishes a fix. In the meantime, compensating controls are worth enabling where possible: network-policy rules that restrict inbound access to the LinkAce setup endpoint, egress filtering that prevents the application container from reaching attacker-controlled SMTP infrastructure, and feature-flag or route-level gating of the setup flow on any instance that has already been initialized. For customers with auto-remediation enabled, the patched rebuild, regression run, and PR against affected workloads will be triggered without manual action the moment an upstream fix is ingested.

See how HarborGuard automates this

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Kovah / LinkAce
< 2.5.6

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/Kovah/LinkAce/security/advisories/GHSA-37m5-936h-w455