CVE-2026-33954 is a medium-severity improper authorization vulnerability (CWE-285) affecting Kovah's LinkAce, a self-hosted web link archiving tool. In versions prior to 2.5.3, the web interface improperly handles visibility controls for private notes attached to links. While the API correctly restricts access to private notes, the web link detail page fails to enforce these restrictions, allowing any authenticated user who can view another user's internal or public link to also view that user's private notes attached to the link. This discrepancy between API and web interface authorization checks leads to unauthorized disclosure of sensitive information. The vulnerability requires authentication but no additional user interaction, and exploitation can be performed remotely over the network. The flaw impacts confidentiality but does not affect integrity or availability. The issue was publicly disclosed on March 27, 2026, and fixed in LinkAce version 2.5.3. No known exploits are reported in the wild as of now.

The primary impact of this vulnerability is unauthorized disclosure of private notes, which may contain sensitive or confidential information. Organizations using LinkAce for internal knowledge management or link archiving could inadvertently expose private annotations to other authenticated users, potentially leading to information leakage within the organization. This could undermine trust in the platform, violate privacy policies, or expose strategic or proprietary data. Since the vulnerability does not affect data integrity or availability, the risk is limited to confidentiality breaches. However, in environments where LinkAce is used by multiple users with varying access levels, the impact could be significant, especially if private notes contain sensitive operational or business intelligence. The medium CVSS score reflects the moderate risk posed by this issue.

The most effective mitigation is to upgrade LinkAce to version 2.5.3 or later, where the vulnerability is patched. Until an upgrade is possible, organizations should restrict access to the LinkAce web interface to trusted users only and consider limiting user permissions to minimize exposure. Administrators can audit existing private notes and assess their sensitivity, removing or relocating highly sensitive information if needed. Additionally, monitoring access logs for unusual patterns of note access may help detect exploitation attempts. Implementing network-level controls such as VPNs or IP whitelisting can reduce exposure to unauthorized users. Finally, educating users about the risk of storing sensitive information in private notes until the patch is applied is advisable.