HIGH 8.1

CVE-2026-45344: LinkAce Remote Code Execution via Setup Injection

LinkAce, a self-hosted web link archival tool, contains a critical vulnerability in its initial setup wizard that allows remote attackers to inject malicious database credentials. When an attacker provides specially crafted input during the database configuration step on a fresh LinkAce instance, the application writes unsanitized data into the .env configuration file. By controlling the database and injecting mail configuration variables, an attacker can execute arbitrary commands when the application attempts to send emails. This flaw affects all versions prior to 2.5.6.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-74
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup endpoints and supply a database they control can inject mail configuration variables and achieve command execution when the application later sends mail. This vulnerability is fixed in 2.5.6.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45344 is an improper neutralization vulnerability (CWE-74) in LinkAce's setup initialization flow. The vulnerability arises because the database credential input handler on uninitialized instances does not properly escape or validate user-supplied values before writing them to the .env file. An attacker positioned to reach the setup endpoints can inject mail-related configuration directives (such as MAIL_HOST, MAIL_COMMAND, or similar parameters depending on the framework's mail driver) that are later interpreted as executable commands during mail operations. The attack chain requires database connectivity to the attacker-controlled database and relies on the application eventually triggering a mail send operation, which then executes the injected payload.

Business impact

Organizations running uninitialized LinkAce instances face remote code execution risk if those instances are exposed to untrusted networks. For small teams or organizations using LinkAce as an internal link repository, a successful attack grants the attacker the ability to execute arbitrary commands with the privileges of the web application process, potentially leading to data exfiltration, lateral movement, or complete infrastructure compromise. The risk is amplified if LinkAce runs on a shared server or in a containerized environment with access to sensitive systems. The impact is particularly severe because many self-hosted deployments may be partially configured and left in setup state longer than intended.

Affected systems

LinkAce versions prior to 2.5.6 are vulnerable. The attack surface is limited to instances that have not yet completed initial setup (uninitialized state) and that are reachable from the attacker's network location. Organizations should inventory all LinkAce deployments and determine which are still in setup mode or have accessible setup endpoints.

Exploitability

The vulnerability requires network access to the setup endpoints, which are typically only active on uninitialized instances but may remain accessible if setup is not properly completed or if the instance was reset. An attacker does not need authentication, valid credentials, or user interaction. However, exploitation requires either control over a database that LinkAce will connect to or the ability to influence DNS/network routing for database connectivity. The CVSS score of 8.1 (HIGH) reflects the combination of network-based attack vector, high impact across confidentiality, integrity, and availability, though the medium attack complexity accounts for the need to control or intercept database connectivity.

Remediation

Immediately upgrade LinkAce to version 2.5.6 or later. Before upgrading, organizations should disable or restrict network access to setup endpoints on any uninitialized or partially configured LinkAce instances. Review .env files and database credentials for any evidence of tampering or injection. Consider temporarily disabling mail functionality if the setup flow cannot be completed quickly. For instances already in production use, verify that setup endpoints are not publicly accessible and that the application has completed initialization.

Patch guidance

Download and apply LinkAce version 2.5.6 or later from the official LinkAce repository or distribution channel. The patch includes proper escaping and sanitization of database credential inputs during the setup flow. Organizations should test the upgrade in a non-production environment first to ensure compatibility with existing configurations. If your instance is already initialized, the upgrade should preserve existing .env values while preventing the injection vector going forward. Verify after patching that setup endpoints either become inaccessible or properly reject uninitialized configuration attempts.

Detection guidance

Monitor web server logs for repeated requests to setup or initialization endpoints (typically paths like /setup, /install, /api/setup, or similar) especially from unexpected IP addresses. Look for POST requests with unusual database credential parameters containing shell metacharacters, variable expansion syntax (${...}, $(...).), or suspicious mail configuration values. Check .env files for unexpected mail driver settings or command injection patterns. Monitor process execution logs for mail-related processes spawning unexpected child processes or shell commands. Organizations using Web Application Firewalls should create rules to detect environment variable injection patterns in setup forms.

Why prioritize this

This vulnerability merits immediate attention because it enables unauthenticated remote code execution on uninitialized instances with a HIGH CVSS score. While the attack requires network access to setup endpoints and some level of database control or interception capability, the potential impact—full system compromise—is severe. The vulnerability is particularly dangerous for organizations that may have spun up LinkAce instances for testing or migration and left them partially configured. Unlike vulnerabilities in features that are only enabled with specific configuration, this flaw exists by default during setup and could be exploited before administrators realize the instance is exposed.

Risk score, explained

The CVSS 3.1 score of 8.1 (HIGH) is driven by a network-based attack vector with no authentication required, combined with high impact on confidentiality, integrity, and availability through remote code execution. The medium attack complexity (AC:H) accounts for the requirement to control a database or intercept database credentials, which is a limiting factor but not prohibitive for determined attackers or those within the same network. The score appropriately reflects that while not trivial to exploit in all network contexts, a successful attack results in complete system compromise.

Frequently asked questions

Does this vulnerability affect LinkAce instances that have already completed setup?

Primarily no. Once LinkAce initialization is complete, the setup endpoints typically become inaccessible or non-functional, making this attack vector unavailable. However, organizations should verify their configuration and ensure setup endpoints are properly disabled. If setup endpoints remain active or if the application can be reset to an uninitialized state, the risk persists even for deployed instances.

What does an attacker need to successfully exploit this vulnerability?

An attacker needs network access to the setup endpoints and must be able to provide a database that LinkAce connects to during setup (or intercept database connectivity). They do not need valid credentials, authentication, or user interaction. The actual command execution occurs later when the application sends mail, so the attacker must also ensure that a mail operation is triggered.

How can we quickly mitigate this if we cannot upgrade immediately?

If immediate upgrade is not possible, restrict network access to LinkAce setup endpoints using a firewall, reverse proxy, or web application firewall. Ensure setup endpoints are not exposed to the internet or untrusted networks. Disable mail functionality temporarily if feasible. Complete the setup wizard and verify that setup endpoints are deactivated. However, upgrade to 2.5.6 as soon as possible to properly address the root cause.

Is there a workaround or vendor mitigation outside of patching?

The primary mitigation is to restrict network access to setup endpoints and ensure the application completes initialization. There is no known workaround that eliminates the vulnerability itself; patching to 2.5.6 is the definitive fix. Some organizations may reduce risk by running LinkAce in a segmented network environment or disabling outbound mail until patched.

This analysis is based on the CVE-2026-45344 advisory published on 2026-05-28 and updated 2026-06-17. No CVSS score, patch version, or affected product list should be considered authoritative beyond what is explicitly stated in the official LinkAce security advisory and vendor guidance. Organizations should verify all remediation steps against their specific LinkAce version, deployment topology, and network configuration. This vulnerability information is provided for defensive and awareness purposes; no exploitation techniques or proof-of-concept code are included. Consult your security team and official vendor documentation before making any changes to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).