LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL (LinkRepository::create() calls HtmlMeta::getFromUrl()). The LinkStoreRequest validation rules do not include NoPrivateIpRule, allowing server-side requests to internal network addresses, Docker service hostnames, and cloud metadata endpoints. The project already has a NoPrivateIpRule class (app/Rules/NoPrivateIpRule.php) but it is only app

The SSRF vulnerability in LinkAce arises from insufficient validation during link creation via POST requests to /links. Specifically, the server fetches HTML metadata from the provided URL without properly enforcing restrictions on internal network addresses. An attacker can leverage this to send requests to internal services, Docker service hostnames, or cloud metadata endpoints (e.g., AWS EC2 instance metadata). This could lead to the exposure of sensitive information such as internal IP addresses, API keys, or database credentials. Successful exploitation could enable lateral movement within the network or compromise the underlying infrastructure. The lack of consistent application of the NoPrivateIpRule class significantly expands the attack surface.

Organizations using LinkAce in Docker containers, particularly those with exposed internal services or cloud metadata endpoints, are at significant risk. Shared hosting environments where LinkAce instances share network resources are also vulnerable. Legacy LinkAce configurations that haven't been regularly updated are especially susceptible.

• docker: Inspect Docker container network configuration for unusual outbound connections.

 docker inspect <container_id> | grep -i 'Networks' 

• linux / server: Monitor outbound network connections from the LinkAce server using ss or lsof.

 ss -t -a | grep linkace 

• generic web: Monitor access and error logs for requests to internal IP addresses or cloud metadata endpoints. Look for patterns like 169.254.169.254 or 127.0.0.1.

 grep -i '169.254.169.254' /var/log/nginx/access.log

1. 2026-03-10Disclosure

   disclosure

1. 已保留2026-03-07
2. 发布日期2026-03-10
3. 修改日期2026-03-17
4. EPSS 更新日期2026-03-23

The primary mitigation for CVE-2026-30953 is to ensure the NoPrivateIpRule is applied consistently across all link creation paths within LinkAce. Currently, it's only applied in FetchController.php. Administrators should review the codebase and implement this rule in LinkRepository::create() as well. As a temporary workaround, consider restricting network access to the LinkAce server using a Web Application Firewall (WAF) or proxy to block outbound requests to internal IP ranges. Monitor LinkAce logs for unusual outbound requests that might indicate exploitation attempts. Once a patched version of LinkAce is released, upgrade immediately. After upgrade, confirm by attempting to create a link to a known internal resource (e.g., a local web server) and verifying that the request is blocked.