CVE-2026-35516 Overview
CVE-2026-35516 is a Server-Side Request Forgery (SSRF) vulnerability in LinkAce, a self-hosted archive application designed to collect and manage website links. Prior to version 2.5.4, the LinkRepository::update and CheckLinksCommand::checkLink functions do not properly validate IP addresses, allowing an authenticated attacker to craft requests to internal network resources. This vulnerability enables attackers to read responses from internal services such as AWS IMDSv1, cloud metadata endpoints, and internal APIs by first creating a link with a public URL and then updating it to point to a private IP address.
Critical Impact
Authenticated users can exploit this SSRF vulnerability to access cloud credentials, internal service data, and expose network topology information through the server-side link checking functionality.
Affected Products
- LinkAce versions prior to 2.5.4
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-35516 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35516
Vulnerability Analysis
This Server-Side Request Forgery vulnerability exists because LinkAce fails to implement proper IP address filtering in its link management functionality. The application allows users to create and update links that the server subsequently processes through a scheduled cron job (links:check). During this process, the server makes HTTP requests to the specified URLs without validating whether the target addresses resolve to private or internal network ranges.
The vulnerability is classified under CWE-918 (Server-Side Request Forgery), which describes a scenario where a web application fetches remote resources based on user-supplied input without properly validating the destination. In this case, an attacker can leverage the time gap between link creation and the cron job execution to pivot from a legitimate external URL to an internal target.
Root Cause
The root cause lies in the LinkRepository::update and CheckLinksCommand::checkLink functions, which process user-supplied URLs without implementing IP address blocklist validation. When a link is updated, the application accepts the new URL without checking if it resolves to RFC 1918 private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or other reserved addresses. The scheduled links:check cron job then blindly makes requests to these addresses using the server's network context, effectively bypassing network segmentation controls.
Attack Vector
The attack follows a multi-step exploitation pattern that abuses the link update functionality:
- An authenticated user creates a new link pointing to a legitimate external URL, which passes any initial validation
- The attacker then updates the link to point to an internal IP address or cloud metadata endpoint (e.g., http://169.254.169.254/latest/meta-data/)
- When the links:check cron job executes, it makes a server-side request to the internal target
- The response from the internal service is captured and may be accessible to the attacker through the application
This attack is particularly dangerous in cloud environments where metadata services like AWS IMDSv1 can expose temporary credentials, instance identity documents, and other sensitive configuration data. For more technical details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-35516
Indicators of Compromise
- HTTP requests from the LinkAce server to internal IP ranges (169.254.169.254, 10.x.x.x, 172.16-31.x.x, 192.168.x.x)
- Link entries in the database containing private IP addresses or cloud metadata URLs
- Unusual outbound requests to known metadata endpoints from the application server
- Log entries showing the links:check command accessing internal resources
Detection Strategies
- Monitor network traffic from the LinkAce server for connections to RFC 1918 private address ranges
- Implement egress filtering and alert on any attempts to reach cloud metadata endpoints (169.254.169.254)
- Review LinkAce database for link entries containing internal IP addresses or localhost references
- Enable verbose logging for the links:check cron job to capture all URL requests
Monitoring Recommendations
- Configure network-level monitoring to detect SSRF attempts targeting internal services
- Implement cloud provider security features such as IMDSv2 enforcement to mitigate metadata service abuse
- Set up alerts for any database modifications to link URLs that introduce private IP addresses
- Monitor application logs for errors or unexpected responses from internal network ranges
How to Mitigate CVE-2026-35516
Immediate Actions Required
- Upgrade LinkAce to version 2.5.4 or later immediately
- Audit existing links in the database for any entries pointing to internal IP addresses or metadata endpoints
- Review server logs for evidence of exploitation attempts
- Restrict network egress from the LinkAce server to only necessary external resources
Patch Information
This vulnerability has been addressed in LinkAce version 2.5.4. The fix implements proper IP address validation in the LinkRepository::update and CheckLinksCommand::checkLink functions to reject requests targeting private and reserved IP ranges. Users should upgrade to this version as soon as possible.
For additional details about the security fix, see the GitHub Security Advisory.
Workarounds
- If immediate patching is not possible, disable the links:check cron job until the update can be applied
- Implement network-level egress filtering to block requests from the application server to internal IP ranges
- Configure the cloud environment to use IMDSv2 instead of IMDSv1 to require session tokens for metadata access
- Consider placing the LinkAce server in an isolated network segment with restricted internal access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
