Platform
docker
Component
docker
Fixed in
2.0.1
2.0.1
CVE-2026-30953 describes a server-side request forgery (SSRF) vulnerability in LinkAce, a self-hosted archive for collecting website links. This flaw allows attackers to initiate requests to internal network addresses, potentially exposing sensitive data or gaining unauthorized access. The vulnerability affects versions of LinkAce up to and including 2.0.0. A fix is pending, and mitigation strategies are outlined below.
The SSRF vulnerability in LinkAce arises from insufficient validation during link creation via POST requests to /links. Specifically, the server fetches HTML metadata from the provided URL without properly enforcing restrictions on internal network addresses. An attacker can leverage this to send requests to internal services, Docker service hostnames, or cloud metadata endpoints (e.g., AWS EC2 instance metadata). This could lead to the exposure of sensitive information such as internal IP addresses, API keys, or database credentials. Successful exploitation could enable lateral movement within the network or compromise the underlying infrastructure. The lack of consistent application of the NoPrivateIpRule class significantly expands the attack surface.
This vulnerability was publicly disclosed on 2026-03-10. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the SSRF nature of the vulnerability makes it likely that a PoC will be developed. The ease of exploitation, given the readily available code and the common use of Docker in LinkAce deployments, suggests a medium probability of exploitation.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
The primary mitigation for CVE-2026-30953 is to ensure the NoPrivateIpRule is applied consistently across all link creation paths within LinkAce. Currently, it's only applied in FetchController.php. Administrators should review the codebase and implement this rule in LinkRepository::create() as well. As a temporary workaround, consider restricting network access to the LinkAce server using a Web Application Firewall (WAF) or proxy to block outbound requests to internal IP ranges. Monitor LinkAce logs for unusual outbound requests that might indicate exploitation attempts. Once a patched version of LinkAce is released, upgrade immediately. After upgrade, confirm by attempting to create a link to a known internal resource (e.g., a local web server) and verifying that the request is blocked.
Update LinkAce to a version later than 2.0.0 where the NoPrivateIpRule has been applied to link creation. This will prevent server-side requests to private IP addresses.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30953 is a server-side request forgery vulnerability affecting LinkAce versions up to 2.0.0, allowing attackers to access internal resources.
If you are running LinkAce version 2.0.0 or earlier, you are potentially affected by this SSRF vulnerability.
The recommended fix is to upgrade to a patched version of LinkAce when available. Until then, implement the NoPrivateIpRule in all link creation paths and consider WAF restrictions.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests a potential for future attacks.
Refer to the LinkAce project's official website and security advisories for updates and the latest information regarding CVE-2026-30953.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Dockerfile file and we'll tell you instantly if you're affected.