Platform
nodejs
Component
plane
Fixed in
1.3.1
CVE-2026-27949 affects Plane, an open-source project management tool. This vulnerability involves the exposure of a user's email address in the URL query parameters during authentication error handling, specifically when an invalid magic code is submitted. This constitutes a PII disclosure due to the insecure practice of transmitting sensitive information via GET requests. The vulnerability impacts versions 1.0.0 through 1.2.9 and is resolved in version 1.3.0.
The primary impact of CVE-2026-27949 is the potential exposure of personally identifiable information (PII), specifically user email addresses. An attacker could observe the URL when a user encounters an authentication error, such as an incorrect magic code. While the CVSS score is LOW, the exposure of PII raises privacy concerns and could be exploited for phishing or social engineering attacks. The vulnerability resides within the authentication utility module (packages/utils/src/auth.ts) of Plane, highlighting a design flaw in the error handling process. This is a classic example of insecure design, where sensitive data is inadvertently transmitted in a manner easily accessible to unauthorized parties.
CVE-2026-27949 is not currently listed on KEV or EPSS. The CVSS score of 2.0 indicates a low probability of exploitation. No public proof-of-concept (PoC) code has been released as of the publication date. The vulnerability was disclosed on 2026-04-07.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-27949 is to immediately upgrade Plane to version 1.3.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out GET requests containing email addresses in the query parameters related to authentication. Additionally, review your application's logging practices to ensure that sensitive information like email addresses is not inadvertently logged in URLs. After upgrading, confirm the fix by attempting to trigger the authentication error flow and verifying that the email address is no longer present in the URL.
Update to version 1.3.0 or higher to prevent the exposure of the user's email address in the URL during error handling. This update corrects the vulnerability by preventing the inclusion of the email address in URL parameters.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27949 is a vulnerability in Plane project management tool where email addresses are exposed in URLs during authentication errors, leading to potential PII disclosure.
Yes, if you are using Plane versions 1.0.0 through 1.2.9, you are affected by this vulnerability and should upgrade immediately.
Upgrade Plane to version 1.3.0 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround if upgrading isn't immediate.
As of the current date, there is no evidence of active exploitation of CVE-2026-27949, but the potential for exposure remains.
Refer to the official Plane project repository and release notes for details on CVE-2026-27949 and the corresponding fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.