Platform
nodejs
Component
plane
Fixed in
0.28.1
CVE-2026-39843 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Plane, an open-source project management tool. This flaw allows an authenticated attacker with limited privileges to potentially access internal resources by manipulating link tags to redirect requests to private IP addresses. The vulnerability affects versions 0.28.0 through 1.2.9 and has been resolved in version 1.3.0.
The SSRF vulnerability in Plane allows an attacker to craft a malicious link tag within a normal HTML page. This tag, when processed by Plane, redirects a request to a private IP address, effectively bypassing the intended security measures. The fetchandencode_favicon() function, which uses requests.get() with default redirect following, is the root cause. This can lead to unauthorized access to internal services, sensitive data residing on those services, and potentially even facilitate lateral movement within the network if the attacker can leverage the SSRF to interact with other internal systems. While the main page URL redirects are validated, the favicon fetch path is not, creating the bypass.
CVE-2026-39843 was publicly disclosed on 2026-04-09. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The severity is assessed as HIGH due to the potential for unauthorized access to internal resources.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-39843 is to upgrade Plane to version 1.3.0 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to private IP addresses originating from Plane. Additionally, carefully review and restrict the permissions granted to authenticated users within Plane to minimize the potential impact of exploitation. Monitor Plane logs for unusual outbound requests, particularly those targeting internal IP addresses. There are no specific rollback steps beyond reverting to a previous, vulnerable version, which is not recommended.
Update to version 1.3.0 or higher to mitigate the SSRF vulnerability. This version corrects the incorrect validation of favicon URLs, preventing an attacker from making requests to private IP addresses.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39843 is a HIGH severity SSRF vulnerability affecting Plane versions 0.28.0 through 1.2.9. An attacker can exploit this by crafting a malicious link tag to access internal resources.
If you are running Plane version 0.28.0 or later, and before 1.3.0, you are potentially affected by this SSRF vulnerability. Assess your environment and upgrade as soon as possible.
The recommended fix is to upgrade Plane to version 1.3.0 or later. As a temporary workaround, implement a WAF rule to block requests to private IP addresses.
As of the current assessment, there is no evidence of active exploitation campaigns targeting CVE-2026-39843.
Refer to the official Plane project repository and release notes for the advisory related to CVE-2026-39843: [https://github.com/plane-project/plane](https://github.com/plane-project/plane)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.