CVE-2026-40905
Published: 21 April 2026
Summary
CVE-2026-40905 is a high-severity Open Redirect (CWE-601) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of user-controlled HTTP inputs like the X-Forwarded-Host header to block injection of attacker-controlled domains into password reset URLs.
Mandates timely flaw remediation, including patching LinkAce to version 2.5.4, which fixes the improper trust of the X-Forwarded-Host header.
Ensures configuration settings prevent the application from trusting or misusing unverified proxy headers such as X-Forwarded-Host in URL generation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated flaw in a public-facing web application (LinkAce) that is directly exploited by sending crafted password reset requests with a malicious X-Forwarded-Host header, enabling account takeover.
NVD Description
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP headers. The application uses the X-Forwarded-Host header when generating password reset…
more
URLs. By manipulating this header during a password reset request, an attacker can inject an attacker-controlled domain into the reset link sent via email. As a result, the victim receives a password reset email containing a malicious link pointing to an attacker-controlled domain. When the victim clicks the link, the password reset token is transmitted to the attacker-controlled server. An attacker can capture this token and use it to reset the victim’s password, leading to full account takeover. This vulnerability is fixed in 2.5.4.
Deeper analysisAI
CVE-2026-40905 is a password reset poisoning vulnerability in LinkAce, a self-hosted archive for collecting website links. In versions prior to 2.5.4, the application improperly trusts the user-controlled X-Forwarded-Host HTTP header when generating password reset URLs. This allows attackers to manipulate the header during a password reset request, injecting an attacker-controlled domain into the reset link that is emailed to the victim. The issue is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and maps to CWE-601 (URL Redirection to Untrusted Site).
An unauthenticated attacker (PR:N) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) by sending a password reset request to a targeted user while controlling the X-Forwarded-Host header, such as through a reverse proxy or misconfigured network path. The victim receives an email containing a password reset link pointing to the attacker's domain; upon clicking it (UI:R), the reset token is transmitted to the attacker's server. The attacker can then capture this token and use it to reset the victim's password, achieving full account takeover with high confidentiality and integrity impacts (C:H/I:H).
The vulnerability is fixed in LinkAce version 2.5.4. The GitHub security advisory at https://github.com/Kovah/LinkAce/security/advisories/GHSA-48wv-jpf4-vjfv provides details on the issue and recommends upgrading to the patched version.
Details
- CWE(s)