CVE-2026-27949

Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling (e.g., when an invalid magic code is submitted). Transmitting personally identifiable information (PII) via GET request query strings is classified as an insecure design practice. The affected code path is located in the authentication utility module (packages/utils/src/auth.ts). This vulnerability is fixed in 1.3.0.

CVSS v3 2.0 LOW

2.0^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.5 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/makeplane/plane/security/advisories/GHSA-8rvg-7w43-p2w2	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:plane:plane:*:*:*:*:*:*:*:*

History

14 Apr 2026, 18:44

Type	Values Removed	Values Added
References	~~() https://github.com/makeplane/plane/security/advisories/GHSA-8rvg-7w43-p2w2 -~~	() https://github.com/makeplane/plane/security/advisories/GHSA-8rvg-7w43-p2w2 - Vendor Advisory
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:plane:plane::::::::
First Time		Plane plane Plane

07 Apr 2026, 21:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-07 21:17

Updated : 2026-04-14 18:44

NVD link : CVE-2026-27949

Mitre link : CVE-2026-27949

CVE.ORG link : CVE-2026-27949

JSON object : View

Products Affected

plane

plane

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-598

Use of GET Request Method With Sensitive Query Strings

NVD-CWE-noinfo

{"id": "CVE-2026-27949", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.0, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 0.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-04-07T21:17:15.400", "references": [{"url": "https://github.com/makeplane/plane/security/advisories/GHSA-8rvg-7w43-p2w2", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-598"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling (e.g., when an invalid magic code is submitted). Transmitting personally identifiable information (PII) via GET request query strings is classified as an insecure design practice. The affected code path is located in the authentication utility module (packages/utils/src/auth.ts). This vulnerability is fixed in 1.3.0."}], "lastModified": "2026-04-14T18:44:46.493", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:plane:plane:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A83B3D5C-1D3E-422F-BDE7-557F3EB8F934", "versionEndExcluding": "1.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}