CVE-2026-33953 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918 affecting Kovah's LinkAce, a self-hosted link archiving application. The vulnerability exists in versions prior to 2.5.3, where the application attempts to block direct requests to private IP addresses but fails to prevent server-side requests when internal resources are referenced via internal hostnames. An authenticated user can exploit this by submitting links that resolve to internal-only hostnames, causing the LinkAce server to perform unauthorized requests to internal network services that are otherwise inaccessible externally. This can lead to unauthorized information disclosure, as internal services may respond with sensitive data. The vulnerability does not require user interaction beyond authentication, and the attacker can leverage it to bypass network segmentation protections. The CVSS v3.1 score is 8.5 (high), reflecting the high confidentiality impact, low attack complexity, and the requirement for privileges (authenticated user). The vulnerability has been patched in LinkAce version 2.5.3, which properly restricts server-side requests to internal resources regardless of hostname resolution. No public exploit code or active exploitation has been reported to date.

The primary impact of CVE-2026-33953 is the potential unauthorized access to internal network resources by authenticated users of LinkAce. This can lead to significant confidentiality breaches, as internal services may expose sensitive information not intended for external or general user access. Attackers could leverage this SSRF to perform internal network reconnaissance, pivot to other internal systems, or access metadata services and other sensitive endpoints. Although the integrity and availability impacts are limited, the breach of confidentiality alone can have severe consequences, including data leakage, exposure of internal infrastructure, and facilitation of further attacks. Organizations relying on LinkAce for link management and archiving may inadvertently expose internal services if running vulnerable versions. The requirement for authentication limits the attack surface but does not eliminate risk, especially in environments with many users or weak access controls.

To mitigate CVE-2026-33953, organizations should immediately upgrade LinkAce to version 2.5.3 or later, where the SSRF vulnerability is patched. Beyond patching, administrators should implement strict network segmentation and firewall rules to limit the LinkAce server's ability to initiate outbound requests to sensitive internal services. Employing allowlists for outbound HTTP requests from the LinkAce server can further reduce risk. Additionally, review and tighten authentication and authorization controls to restrict LinkAce access only to trusted users. Monitoring and logging of outbound requests from the LinkAce server can help detect anomalous SSRF attempts. If upgrading is not immediately possible, consider disabling features that trigger server-side requests or isolating the LinkAce server in a network segment with minimal access to internal resources. Regular vulnerability scanning and penetration testing should include SSRF scenarios to detect similar issues proactively.