CVE-2026-30953 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918 affecting Kovah's LinkAce, a self-hosted link archiving platform. The vulnerability exists because the POST /links endpoint, which allows users to create new links, fetches HTML metadata from the provided URLs without enforcing the NoPrivateIpRule validation. This rule is designed to block requests to private IP ranges, Docker service hostnames, and cloud provider metadata endpoints to prevent SSRF attacks. However, the rule is only applied in a different controller (FetchController.php) and not in the main link creation path (LinkRepository::create() calling HtmlMeta::getFromUrl()). As a result, an attacker with low privileges can submit a crafted URL that causes the server to make unauthorized HTTP requests to internal network resources. This can lead to information disclosure of sensitive internal services, cloud metadata endpoints (which may contain credentials or tokens), and potentially enable further lateral movement or privilege escalation within the victim's network. The vulnerability affects all LinkAce versions up to and including 2.0.0. The CVSS v3.1 score is 7.7 (High), with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality with a scope change. No public exploits have been reported yet, but the presence of internal network access makes this a critical concern for organizations using LinkAce in sensitive environments.

The SSRF vulnerability in LinkAce can have severe consequences for organizations. By exploiting this flaw, attackers can make the vulnerable server perform unauthorized HTTP requests to internal network services that are otherwise inaccessible externally. This can lead to exposure of sensitive internal endpoints such as Docker service APIs, internal management consoles, and cloud metadata services that often contain credentials or tokens. Disclosure of such information can facilitate further attacks including privilege escalation, data exfiltration, and lateral movement within the network. Since LinkAce is often deployed in self-hosted environments, including enterprises and service providers, the risk extends to any organization using this software without patching. The vulnerability's exploitation could compromise confidentiality without affecting integrity or availability directly, but the resulting information leakage can enable more damaging attacks. The requirement for low privileges means that even non-administrative users or compromised accounts can leverage this flaw, increasing the attack surface. Overall, the impact is high, especially in cloud or containerized environments where metadata endpoints are critical.

To mitigate CVE-2026-30953, organizations should upgrade LinkAce to a version where the NoPrivateIpRule validation is correctly applied to all URL fetch operations, especially the primary link creation endpoint. If an official patch is not yet available, administrators should implement custom input validation to block URLs resolving to private IP ranges, Docker hostnames, and known cloud metadata endpoints before processing them. Network-level controls such as firewall rules or egress filtering can be employed to restrict the LinkAce server from making outbound HTTP requests to internal IP ranges and cloud metadata IP addresses (e.g., 169.254.169.254). Additionally, running LinkAce with the least privileges necessary and isolating it in a segmented network zone can reduce the risk of lateral movement if exploited. Monitoring logs for unusual outbound requests from the LinkAce server may help detect exploitation attempts. Finally, educating users about the risks of submitting internal URLs and enforcing strict access controls on the LinkAce application will further reduce exposure.