CVE-2026-45342: CWE-639: Authorization Bypass Through User-Controlled Key in Kovah LinkAce
LinkAce versions prior to 2. 5. 6 contain an authorization bypass vulnerability (CWE-639) that allows any authenticated user to modify public or internal resources owned by other users. This affects links, lists, tags, and notes via both the web UI and REST API. The flaw arises from update authorization checks that rely solely on resource visibility rather than ownership, permitting unauthorized edits. The delete operations correctly enforce ownership checks, indicating the update flaw is unintended. Bulk edit operations are also impacted. This vulnerability is fixed in version 2. 5. 6.
AI Analysis
Technical Summary
CVE-2026-45342 is an authorization bypass vulnerability in Kovah's LinkAce prior to version 2.5.6. The issue stems from insecure direct object references in the update() methods of LinkPolicy, LinkListPolicy, TagPolicy, and NotePolicy, where access checks allow any authenticated user to update resources with non-private visibility regardless of ownership. The API layer mirrors this flawed logic. Delete operations correctly require ownership, highlighting the inconsistency. BulkEditController is also vulnerable. The vulnerability enables unauthorized modification of links, lists, tags, and notes. The flaw is resolved in LinkAce 2.5.6.
Potential Impact
Any authenticated user on a vulnerable LinkAce instance can modify public or internal resources owned by other users, including links, lists, tags, and notes. This could lead to unauthorized data alteration, undermining data integrity and trust in the system. The vulnerability does not allow deletion without ownership, but unauthorized updates can still cause significant impact. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability is fixed in LinkAce version 2.5.6. Users should upgrade to version 2.5.6 or later to remediate this issue. Since this is a self-hosted product, administrators must apply the update manually. Patch status is not explicitly confirmed in the vendor advisory, but the description states the issue is fixed in 2.5.6. No alternative mitigations are indicated.
CVE-2026-45342: CWE-639: Authorization Bypass Through User-Controlled Key in Kovah LinkAce
Description
LinkAce versions prior to 2. 5. 6 contain an authorization bypass vulnerability (CWE-639) that allows any authenticated user to modify public or internal resources owned by other users. This affects links, lists, tags, and notes via both the web UI and REST API. The flaw arises from update authorization checks that rely solely on resource visibility rather than ownership, permitting unauthorized edits. The delete operations correctly enforce ownership checks, indicating the update flaw is unintended. Bulk edit operations are also impacted. This vulnerability is fixed in version 2. 5. 6.
CVSS v4.0
Score 7.1high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-45342 is an authorization bypass vulnerability in Kovah's LinkAce prior to version 2.5.6. The issue stems from insecure direct object references in the update() methods of LinkPolicy, LinkListPolicy, TagPolicy, and NotePolicy, where access checks allow any authenticated user to update resources with non-private visibility regardless of ownership. The API layer mirrors this flawed logic. Delete operations correctly require ownership, highlighting the inconsistency. BulkEditController is also vulnerable. The vulnerability enables unauthorized modification of links, lists, tags, and notes. The flaw is resolved in LinkAce 2.5.6.
Potential Impact
Any authenticated user on a vulnerable LinkAce instance can modify public or internal resources owned by other users, including links, lists, tags, and notes. This could lead to unauthorized data alteration, undermining data integrity and trust in the system. The vulnerability does not allow deletion without ownership, but unauthorized updates can still cause significant impact. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability is fixed in LinkAce version 2.5.6. Users should upgrade to version 2.5.6 or later to remediate this issue. Since this is a self-hosted product, administrators must apply the update manually. Patch status is not explicitly confirmed in the vendor advisory, but the description states the issue is fixed in 2.5.6. No alternative mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-11T21:40:08.177Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a18b4aee29bf47b5032f45d
Added to database: 5/28/2026, 9:33:34 PM
Last enriched: 5/28/2026, 9:48:41 PM
Last updated: 5/28/2026, 10:39:41 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.