CVE-2026-45344
Description
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup endpoints and supply a database they control can inject mail configuration variables and achieve command execution when the application later sends mail. This vulnerability is fixed in 2.5.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LinkAce setup database flow allows unescaped .env injection via DB_PASSWORD, enabling pre-auth RCE through mail configuration.
Vulnerability
In LinkAce versions prior to 2.5.6, the setup database configuration flow on uninitialized instances accepts attacker-controlled database credential fields (db_host, db_name, db_user, db_password) and writes them into the .env file without proper escaping. Specifically, the DB_PASSWORD value is wrapped in double quotes but not escaped, allowing a newline injection that can break out of the assignment and append arbitrary environment variables. This occurs in DatabaseController::storeConfigurationInEnv() which uses raw preg_replace() substitutions [1].
Exploitation
An attacker who can reach the unauthenticated /setup/* endpoints on an uninitialized LinkAce instance can exploit this by sending a crafted POST /setup/database request. The DB_PASSWORD field contains a payload that closes the double quote and injects newline-delimited assignments for MAIL_MAILER=sendmail and MAIL_SENDMAIL_PATH pointing to a malicious command. After the .env is rewritten, the attacker calls GET /setup/complete to finalize setup without authentication. Then, by sending a POST /forgot-password request, the application triggers Laravel's password reset flow, which loads the injected mail configuration. Symfony Mailer passes the MAIL_SENDMAIL_PATH to proc_open(), executing the attacker's command [1].
Impact
Successful exploitation results in remote code execution as the web server user. The attacker gains full control over the LinkAce application and can potentially compromise the underlying host, leading to data exfiltration, further lateral movement, or persistent access.
Mitigation
The vulnerability is fixed in LinkAce version 2.5.6. Users should upgrade immediately. No workaround is available for unpatched versions. The issue is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
27d7a64b5bccfDisallow using line breaks in database configuration during setup process
2 files changed · +36 −0
app/Http/Requests/SetupDatabaseRequest.php+4 −0 modified@@ -18,19 +18,23 @@ public function rules(): array ], 'db_host' => [ 'required_unless:connection,sqlite', + 'not_regex:/[\r\n]/', ], 'db_port' => [ 'required_unless:connection,sqlite', 'numeric', ], 'db_name' => [ 'required_unless:connection,sqlite', + 'not_regex:/[\r\n]/', ], 'db_user' => [ 'required_unless:connection,sqlite', + 'not_regex:/[\r\n]/', ], 'db_password' => [ 'nullable', + 'not_regex:/[\r\n]/', ], ]; }
tests/Controller/SetupDatabaseControllerTest.php+32 −0 added@@ -0,0 +1,32 @@ +<?php + +namespace Tests\Controller; + +use App\Settings\SystemSettings; +use Illuminate\Foundation\Testing\RefreshDatabase; +use Tests\TestCase; + +class SetupDatabaseControllerTest extends TestCase +{ + use RefreshDatabase; + + public function test_database_setup_rejects_multiline_passwords(): void + { + SystemSettings::fake([ + 'setup_completed' => false, + ]); + + $response = $this->from('/setup/database')->post('/setup/database', [ + 'connection' => 'mysql', + 'db_host' => '127.0.0.1', + 'db_port' => 3306, + 'db_name' => 'linkace', + 'db_user' => 'linkace', + 'db_password' => "secret\nMAIL_MAILER=sendmail", + ]); + + $response + ->assertRedirect('/setup/database') + ->assertSessionHasErrors('db_password'); + } +}
7d7a64b5bccfVulnerability mechanics
Root cause
"Missing input validation on database credential fields allows newline injection, enabling an attacker to break out of the DB_PASSWORD value in .env and inject arbitrary environment variables."
Attack vector
An unauthenticated attacker who can reach the /setup/* endpoints on an uninitialized LinkAce instance sends POST /setup/database with a db_password value containing a closing double-quote and newline-delimited environment variable assignments [ref_id=1]. The application writes this payload verbatim into .env via raw preg_replace() substitutions, injecting MAIL_MAILER=sendmail and a malicious MAIL_SENDMAIL_PATH [ref_id=1]. After marking setup complete via /setup/complete, the attacker triggers a password reset for a user in their attacker-controlled database; Laravel's mailer loads the injected sendmail configuration, and Symfony Mailer passes the attacker-controlled path to proc_open(), achieving command execution [ref_id=1].
Affected code
The vulnerable validation logic is in `app/Http/Requests/SetupDatabaseRequest.php`, where the `rules()` method lacked newline restrictions on `db_host`, `db_name`, `db_user`, and `db_password` [patch_id=3014243]. The downstream writing occurs in `DatabaseController::storeConfigurationInEnv()`, which uses raw `preg_replace()` to write values into .env without escaping [ref_id=1].
What the fix does
The patch adds `not_regex:/[\r\n]/` validation rules to the db_host, db_name, db_user, and db_password fields in SetupDatabaseRequest [patch_id=3014243]. This rejects any input containing carriage return or newline characters, preventing the attacker from breaking out of the DB_PASSWORD="..." line in .env. The included test confirms that a multiline password like `"secret\nMAIL_MAILER=sendmail"` is rejected with a validation error [patch_id=3014243].
Preconditions
- configLinkAce instance must not have completed setup (setup mode)
- networkAttacker must be able to reach /setup/* HTTP endpoints over the network
- inputAttacker must control a MySQL or PostgreSQL database that the LinkAce server can connect to
- authNo authentication required (setup endpoints are unauthenticated)
Reproduction
Start with an uninitialized LinkAce v2.5.5 instance where /setup/* is reachable and the server can connect to an attacker-controlled MySQL or PostgreSQL database. Send POST /setup/database with valid connection details for that attacker-controlled database and a db_password value such as: `pw"\nMAIL_MAILER=sendmail\nMAIL_SENDMAIL_PATH="/bin/sh -c 'id >/tmp/linkace_rce' -t"\nMAIL_FROM_ADDRESS=test@example.com\nX="`. Ensure the attacker-controlled database contains a user row with a known email address, then request GET /setup/complete. Trigger a password reset for that email with POST /forgot-password. Observe command execution on the host, for example by the creation of /tmp/linkace_rce or an equivalent out-of-band callback [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.