CVE-2026-40905 is an open redirect vulnerability (CWE-601) in Kovah LinkAce before version 2.5.4. The application uses the user-controlled X-Forwarded-Host HTTP header when creating password reset URLs. By tampering with this header during a password reset request, an attacker can inject a malicious domain into the reset link sent via email. This causes the victim to receive a password reset email with a link pointing to an attacker-controlled site. When the victim clicks the link, the password reset token is leaked to the attacker, who can then reset the victim's password and take over the account. The vulnerability has a CVSS 3.1 base score of 8.1 (high severity) with network attack vector, low attack complexity, no privileges required, user interaction required, and high confidentiality and integrity impact. The issue is fixed in LinkAce version 2.5.4.

Successful exploitation allows an attacker to obtain the victim's password reset token by redirecting the victim to a malicious domain. This enables the attacker to reset the victim's password and gain full account access. The vulnerability impacts confidentiality and integrity but does not affect availability. There are no known exploits in the wild at this time.

Upgrade Kovah LinkAce to version 2.5.4 or later, where this vulnerability is fixed. Since no official patch link or advisory is provided, verify the upgrade from the vendor's official release notes or repository. Until upgraded, avoid exposing the application to untrusted HTTP headers such as X-Forwarded-Host or implement strict validation of such headers in password reset workflows.