CVE-2026-45342— LinkAce: IDOR in Update Policies Allows Any Authenticated User to Overwrite Other Users' Links, Lists, Tags, and Notes

LinkAce: IDOR in Update Policies Allows Any Authenticated User to Overwrite Other Users' Links, Lists, Tags, and Notes

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains an Insecure Direct Object Reference vulnerability in the authorization policy layer that allows any authenticated user to modify resources owned by other users. The affected resource types are links, lists, tags, and notes. Both the web UI and the REST API are vulnerable. The root cause is in the update() methods of all four model policies: LinkPolicy, LinkListPolicy, TagPolicy, and NotePolicy. Each delegates to an access-check method (e.g., userCanAccessLink()) that returns true for any resource with non-private visibility, regardless of who owns it. This means any registered user can edit any public or internal resource across the entire instance. The delete() methods in the same policy files correctly require ownership via $link->user->is($user), which confirms that update was intended to be owner-only. The same flaw exists in the API layer through AuthorizesUserApiActions::userCanUpdateModel(), which mirrors the broken visibility-only check instead of the ownership check used by userCanDeleteModel(). Bulk edit operations via BulkEditController are also affected. This vulnerability is fixed in 2.5.6.

N/A

通过用户控制密钥绕过授权机制

LinkAce 安全漏洞

LinkAce是Kevin Woblick个人开发者的一个自托管档案库，用于收集您最喜爱的网站的链接。 LinkAce 2.5.6之前版本存在安全漏洞，该漏洞源于授权策略层存在不安全的直接对象引用漏洞，任何经过身份验证的用户可修改其他用户拥有的资源，受影响的资源类型包括链接、列表、标签和笔记，根因在于LinkPolicy、LinkListPolicy、TagPolicy和NotePolicy的update()方法委托给返回true的访问检查方法，无论资源所有者是谁。

N/A

N/A