CVE-2026-30953
Published: 10 March 2026
Summary
CVE-2026-30953 is a high-severity SSRF (CWE-918) vulnerability in Linkace Linkace. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Instance Metadata API (T1522); ranked at the 12.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation mechanisms for user-supplied URLs in the POST /links endpoint to reject private IPs, internal hostnames, and metadata endpoints, preventing SSRF exploitation.
Enforces information flow control policies that block unauthorized server-side fetches to internal network resources triggered by LinkStoreRequest inputs.
Monitors and controls communications at key internal boundaries to mitigate server requests to Docker services and cloud metadata endpoints via HtmlMeta::getFromUrl().
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF directly enables server requests to cloud metadata endpoints (T1522/T1552.005) and internal/Docker hostnames (T1018/T1046) by bypassing IP restrictions during link metadata fetch.
NVD Description
LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL (LinkRepository::create() calls HtmlMeta::getFromUrl()). The LinkStoreRequest validation rules do not include NoPrivateIpRule, allowing server-side…
more
requests to internal network addresses, Docker service hostnames, and cloud metadata endpoints. The project already has a NoPrivateIpRule class (app/Rules/NoPrivateIpRule.php) but it is only applied in FetchController.php (line 99), not in the primary link creation path.
Deeper analysisAI
CVE-2026-30953 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, in LinkAce, a self-hosted archive for collecting website links. The flaw occurs during link creation via POST /links, where the server fetches HTML metadata from the user-provided URL through LinkRepository::create() invoking HtmlMeta::getFromUrl(). The LinkStoreRequest validation rules omit the NoPrivateIpRule, enabling server-side requests to internal network addresses, Docker service hostnames, and cloud metadata endpoints, despite the rule's existence in app/Rules/NoPrivateIpRule.php and its use in FetchController.php (line 99).
An authenticated user with low privileges (PR:L) can exploit this over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). By supplying a crafted URL in a link creation request, the attacker causes the server to fetch from restricted internal endpoints, resulting in high confidentiality impact (C:H) across a changed scope (S:C), with no integrity or availability effects (I:N/A:N), per the CVSS v3.1 base score of 7.7.
The GitHub security advisory at https://github.com/Kovah/LinkAce/security/advisories/GHSA-f2mp-q78r-7jx7 provides further details on the vulnerability, including recommended mitigations and patches.
Details
- CWE(s)