Exposure of Internal Services in LinkAce by Kovah
CVE-2026-35516

5MEDIUM

Key Information:

Vendor: Kovah
Status: Linkace
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-35516?

An issue in LinkAce prior to version 2.5.4 allows authenticated users to exploit improper input validation. By manipulating URLs, users can create links that expose internal service responses, leading to potential access to sensitive information like cloud credentials and network structure. The vulnerability arises from a failure to filter private IPs during specific link management operations, which is addressed in the subsequent software update.

Affected Version(s)

LinkAce < 2.5.4

References

https://github.com/Kovah/LinkAce/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35516 Data

JSON