CVE-2025-62721 is a vulnerability identified in Kovah LinkAce, a self-hosted link archiving platform, affecting versions 2.3.1 and earlier. The flaw resides in the FeedController class's authenticated RSS feed endpoints, which fail to enforce proper authorization checks. Consequently, any authenticated user can retrieve all stored links, lists, and tags belonging to all users within the system, regardless of ownership or visibility settings. This represents an exposure of sensitive information (CWE-200) and improper access control (CWE-284). The vulnerability is exploitable remotely over the network without requiring user interaction, but it does require the attacker to have valid authentication credentials. The CVSS 4.0 base score is 7.1, indicating high severity primarily due to the high confidentiality impact and low attack complexity. The vulnerability does not affect integrity or availability but compromises user privacy and data confidentiality. No known exploits are currently reported in the wild. The issue was publicly disclosed on November 4, 2025, and fixed in LinkAce version 2.4.0. Organizations using vulnerable versions should prioritize patching to prevent unauthorized data disclosure. Given LinkAce’s role in managing potentially sensitive link collections, this vulnerability could lead to exposure of confidential or proprietary information if exploited.

For European organizations, this vulnerability poses a significant risk to confidentiality, especially for entities relying on LinkAce to manage sensitive or proprietary link archives. Unauthorized access to all users’ links and tags could lead to data leakage, intellectual property exposure, or privacy violations under GDPR. Organizations with multiple users and collaborative link management are particularly vulnerable, as any authenticated user can access data beyond their privileges. This could undermine trust in internal systems and lead to regulatory penalties if sensitive personal or business information is exposed. The vulnerability does not impact system availability or data integrity but can facilitate insider threats or lateral movement by exposing sensitive information. The lack of user interaction and low attack complexity increase the likelihood of exploitation in environments where authentication credentials are compromised or shared. The absence of known exploits in the wild suggests limited current exploitation but does not diminish the urgency of remediation.

The primary mitigation is to upgrade all LinkAce instances to version 2.4.0 or later, where the authorization checks are properly implemented. Organizations should audit their current LinkAce deployments to identify affected versions and prioritize patching. Additionally, review and tighten authentication mechanisms to reduce the risk of credential compromise, including enforcing strong password policies and multi-factor authentication where possible. Conduct access reviews to ensure users have appropriate permissions and monitor access logs for unusual activity indicative of unauthorized data access. Consider network segmentation or restricting access to LinkAce instances to trusted internal networks or VPNs to reduce exposure. Implement security awareness training to inform users about the risks of credential sharing. Finally, establish incident response plans to quickly address any suspected data exposure incidents stemming from this vulnerability.