LinkAce Password Reset Flaw: Account Takeover Risk

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-601
LinkAce Password Reset Flaw: Account Takeover Risk

The National Vulnerability Database (NVD) reports a critical password reset poisoning vulnerability, CVE-2026-40905, in LinkAce versions prior to 2.5.4. This self-hosted link archiving application is susceptible due to its improper handling of user-controlled HTTP headers, specifically X-Forwarded-Host.

Attackers can exploit this by manipulating the X-Forwarded-Host header during a password reset request. This injects an attacker-controlled domain into the password reset link sent to the victim. When the victim clicks this malicious link, their password reset token is unwittingly transmitted to the attacker’s server. This allows the attacker to capture the token, reset the victim’s password, and achieve full account takeover.

With a CVSS score of 8.1 (HIGH), this vulnerability poses a significant risk. Defenders running LinkAce must prioritize upgrading to version 2.5.4 immediately. This isn’t theoretical; it’s a direct path to compromise, leveraging a common web application misconfiguration pattern. Don’t assume your reverse proxy or load balancer mitigates this if LinkAce itself trusts the header.

What This Means For You

  • If your organization uses LinkAce, you are exposed to full account takeover via password reset poisoning. Immediately check your LinkAce version; if it's prior to 2.5.4, patch it to 2.5.4 or later without delay. Review logs for suspicious password reset requests originating from unusual IPs or containing manipulated `X-Forwarded-Host` headers.

Related ATT&CK Techniques

T1078.004 Cloud Accounts Initial Access T1539 Steal Application Access Token Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1078.004 Initial Access

CVE-2026-40905 - LinkAce Password Reset Host Header Poisoning

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40905 Vulnerability CVE-2026-40905

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 22, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

HKUDS OpenHarness Default Config Exposes Systems (CVE-2026-6823)

CVE-2026-6823 — HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote...

vulnerabilityCVEhigh-severitycwe-276
/SCW Vulnerability Desk /HIGH /8.2 /⚑ 3 IOCs /⚙ 3 Sigma

Critical AVideo XSS Vulnerability Exposes Admin Settings

CVE-2026-40925 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site...

vulnerabilityCVEhigh-severitycwe-352
/SCW Vulnerability Desk /HIGH /8.3 /⚑ 5 IOCs /⚙ 3 Sigma

Critical RCE in AVideo YPTSocket Plugin: Unauthenticated Account Takeover

CVE-2026-40911 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies...

vulnerabilityCVEcriticalhigh-severitycwe-94
/SCW Vulnerability Desk /CRITICAL /10 /⚑ 2 IOCs /⚙ 3 Sigma