Plattform
nodejs
Komponente
plane
Behoben in
1.3.1
CVE-2026-27949 affects Plane, an open-source project management tool. This vulnerability involves the exposure of a user's email address in the URL query parameters during authentication error handling, specifically when an invalid magic code is submitted. This constitutes a PII disclosure due to the insecure practice of transmitting sensitive information via GET requests. The vulnerability impacts versions 1.0.0 through 1.2.9 and is resolved in version 1.3.0.
The core impact of CVE-2026-27949 lies in the exposure of user email addresses within URL query strings. When an invalid magic code is submitted during authentication, Plane inadvertently includes the user's email address in the URL. This is considered an insecure design practice because it allows attackers to potentially intercept or log this information. While the direct impact is limited to email address exposure, this information could be used for phishing attacks or other social engineering attempts. The blast radius is limited to users interacting with the authentication flow.
CVE-2026-27949 is not currently listed on KEV or EPSS. The CVSS score of 2 (LOW) indicates a low probability of exploitation. No public proof-of-concept (PoC) code has been publicly released. The vulnerability was published on 2026-04-07.
Organizations utilizing Plane for project management, particularly those with sensitive user data, are at risk. This includes teams relying on Plane for internal collaboration and those hosting Plane instances in shared environments where URL observation might be easier.
• nodejs / server:
find /opt/plane -path '*/packages/utils/src/auth.ts' -print• generic web:
curl -I 'https://your-plane-instance/auth?magic_code=invalid' | grep Emaildisclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-27949 is to upgrade Plane to version 1.3.0 or later, which addresses the insecure query parameter handling. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out requests containing email addresses in the query string of the authentication endpoint. Additionally, review your application's logging practices to ensure that sensitive information like email addresses is not inadvertently logged. After upgrading, confirm the fix by attempting to trigger the authentication error flow with an invalid magic code and verifying that the email address is no longer exposed in the URL.
Actualice a la versión 1.3.0 o superior para evitar la exposición de la dirección de correo electrónico del usuario en la URL durante el manejo de errores. Esta actualización corrige la vulnerabilidad al evitar la inclusión de la dirección de correo electrónico en los parámetros de la URL.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-27949 is a vulnerability in Plane project management tool where email addresses are exposed in URLs during authentication errors, leading to potential PII disclosure.
Yes, if you are using Plane versions 1.0.0 through 1.2.9, you are affected by this vulnerability and should upgrade immediately.
Upgrade Plane to version 1.3.0 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround if upgrading isn't immediate.
As of the current date, there is no evidence of active exploitation of CVE-2026-27949, but the potential for exposure remains.
Refer to the official Plane project repository and release notes for details on CVE-2026-27949 and the corresponding fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.