Plattform
nodejs
Komponente
plane
Behoben in
0.28.1
CVE-2026-39843 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Plane, an open-source project management tool. This flaw allows an authenticated attacker with limited privileges to potentially access internal resources by manipulating link tags to redirect requests to private IP addresses. The vulnerability affects versions 0.28.0 through 1.2.9 and has been resolved in version 1.3.0.
The SSRF vulnerability in Plane allows an attacker with low privileges to bypass security controls and make requests to internal resources that should be inaccessible from the outside. By crafting a malicious link tag with a redirect to a private IP address, the attacker can trick Plane into fetching data from these internal endpoints. This could expose sensitive information, such as internal API endpoints, database credentials, or other confidential data. The blast radius extends to any internal services accessible via HTTP/HTTPS from the Plane server, potentially compromising the entire internal network if proper network segmentation is not in place. This vulnerability shares similarities with other SSRF exploits where attackers leverage redirect mechanisms to bypass access controls.
CVE-2026-39843 was disclosed on 2026-04-09. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation, but given the lack of public exploits, the probability of exploitation is currently considered low.
Organizations using Plane for project management, particularly those with internal services accessible via the network, are at risk. Environments with less stringent user permission controls and those relying on legacy configurations are especially vulnerable. Shared hosting environments where multiple users share the same Plane instance should also be considered at higher risk.
• nodejs: Monitor Plane application logs for requests to internal IP addresses. Use npm audit to check for known vulnerabilities in Plane dependencies.
npm audit plane• generic web: Examine access logs for requests originating from Plane with unusual or unexpected target URLs, especially those resolving to private IP addresses. Check response headers for signs of SSRF exploitation.
curl -I <plane_url>/<malicious_link>disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-39843 is to upgrade Plane to version 1.3.0 or later, which includes the complete remediation for the underlying issue. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy with strict URL filtering rules to block requests to private IP addresses. Additionally, review and restrict the permissions of authenticated users to minimize the potential impact of exploitation. Regularly monitor Plane logs for suspicious activity, particularly requests to unusual or internal IP addresses. There are no specific Sigma or YARA patterns available at this time, but monitoring for unusual outbound requests is recommended.
Aktualisieren Sie auf Version 1.3.0 oder höher, um die SSRF-Vulnerabilität zu beheben. Diese Version behebt die fehlerhafte Validierung von Favicon-URLs, wodurch ein Angreifer keine Anfragen an private IP-Adressen stellen kann.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-39843 is a HIGH severity SSRF vulnerability affecting Plane versions 0.28.0 through 1.2.9. An attacker can exploit this by crafting a malicious link tag to access internal resources.
If you are running Plane version 0.28.0 or later, and before 1.3.0, you are potentially affected by this SSRF vulnerability. Assess your environment and upgrade as soon as possible.
The recommended fix is to upgrade Plane to version 1.3.0 or later. As a temporary workaround, implement a WAF rule to block requests to private IP addresses.
As of the current assessment, there is no evidence of active exploitation campaigns targeting CVE-2026-39843.
Refer to the official Plane project repository and release notes for the advisory related to CVE-2026-39843: [https://github.com/plane-project/plane](https://github.com/plane-project/plane)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.