CVE-2026-30953 Overview
CVE-2026-30953 is a Server-Side Request Forgery (SSRF) vulnerability affecting LinkAce, a self-hosted archive application for collecting website links. The vulnerability exists in the link creation functionality where the server fetches HTML metadata from user-provided URLs without properly validating whether those URLs point to internal or private network addresses.
When a user creates a link via POST /links, the server calls LinkRepository::create() which in turn invokes HtmlMeta::getFromUrl() to fetch metadata. The LinkStoreRequest validation rules fail to include the existing NoPrivateIpRule class, allowing attackers with authenticated access to make server-side requests to internal network addresses, Docker service hostnames, and cloud metadata endpoints.
Critical Impact
Authenticated attackers can leverage this SSRF vulnerability to access internal network resources, retrieve sensitive cloud metadata (such as AWS/GCP/Azure instance credentials), and enumerate internal services that should not be accessible from the public internet.
Affected Products
- LinkAce (self-hosted link archive application)
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-30953 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30953
Vulnerability Analysis
This SSRF vulnerability (CWE-918) allows authenticated users to manipulate the server into making HTTP requests to arbitrary internal resources. The root cause is an inconsistent application of security controls within the LinkAce codebase.
The application already contains a defensive mechanism—the NoPrivateIpRule class located at app/Rules/NoPrivateIpRule.php—designed to prevent requests to private IP ranges and internal hostnames. However, this rule is only enforced in FetchController.php (line 99) and critically omitted from the primary link creation path in LinkStoreRequest.
This inconsistency means that while one endpoint is protected against SSRF attacks, the main link creation functionality remains vulnerable. Attackers can exploit this to probe internal network infrastructure, access cloud provider metadata endpoints (commonly at 169.254.169.254), communicate with Docker-internal services by hostname, and potentially exfiltrate sensitive configuration data or credentials.
Root Cause
The vulnerability stems from inconsistent validation rule application across different code paths. The LinkStoreRequest validation rules do not include NoPrivateIpRule, while FetchController.php properly implements this protection. This represents a defense-in-depth failure where security controls were implemented but not uniformly applied across all user-controlled input vectors that trigger server-side HTTP requests.
Attack Vector
An authenticated attacker can exploit this vulnerability by submitting a link creation request with a malicious URL pointing to internal resources. The attack requires only low privileges (authenticated user access) and can be executed remotely over the network without user interaction.
Attack scenarios include:
- Cloud Metadata Access: Submitting URLs like http://169.254.169.254/latest/meta-data/ to retrieve cloud instance credentials and configuration
- Internal Service Enumeration: Using Docker service hostnames or internal IP ranges to discover and interact with backend services
- Firewall Bypass: Leveraging the server's trusted network position to access resources that are protected from external access
The vulnerability has a changed scope impact, meaning successful exploitation can affect resources beyond the vulnerable component's security scope, potentially compromising confidentiality of internal systems and cloud infrastructure.
Detection Methods for CVE-2026-30953
Indicators of Compromise
- Outbound HTTP requests from the LinkAce server to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8)
- Requests to cloud metadata endpoints such as 169.254.169.254 originating from the application
- Unusual link creation requests containing internal hostnames or Docker service names
- Access logs showing repeated link creation attempts with varying internal IP addresses (enumeration behavior)
Detection Strategies
- Monitor application logs for POST /links requests containing URLs with private IP addresses or cloud metadata endpoint addresses
- Implement network-level detection for outbound connections from the LinkAce server to RFC 1918 address spaces
- Review web server access logs for patterns indicating internal network scanning through the link creation endpoint
- Deploy egress filtering alerts for connections to 169.254.169.254 from application servers
Monitoring Recommendations
- Enable verbose logging in LinkAce to capture full URL parameters in link creation requests
- Configure network monitoring to alert on any outbound connections from the web application tier to internal service ports
- Implement SIEM rules to correlate multiple failed internal resource access attempts with link creation activity
- Monitor for unusual patterns of link creation from single user accounts that may indicate reconnaissance activity
How to Mitigate CVE-2026-30953
Immediate Actions Required
- Review the GitHub Security Advisory for official guidance and patch information
- Apply the NoPrivateIpRule validation to the LinkStoreRequest validation rules for the URL field
- Implement network-level egress filtering to block outbound requests from the application server to internal IP ranges and cloud metadata endpoints
- Audit user activity logs to identify any potential exploitation attempts
Patch Information
Refer to the GitHub Security Advisory GHSA-f2mp-q78r-7jx7 for the latest patch information and remediation guidance from the LinkAce maintainers. The fix involves adding the existing NoPrivateIpRule class to the LinkStoreRequest validation rules, ensuring consistent SSRF protection across all URL input vectors.
Workarounds
- Configure network firewall rules to prevent the web application server from initiating connections to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8)
- Block outbound access to cloud metadata endpoints (169.254.169.254) at the network level
- Manually apply the NoPrivateIpRule validation to the link creation endpoint by modifying LinkStoreRequest validation rules
- Restrict link creation functionality to trusted administrator accounts until the patch can be applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
