Plataforma
nodejs
Componente
plane
Corrigido em
1.3.1
CVE-2026-27949 affects Plane, an open-source project management tool. This vulnerability involves the exposure of a user's email address in the URL query parameters during authentication error handling, specifically when an invalid magic code is submitted. This constitutes a PII disclosure due to the insecure practice of transmitting sensitive information via GET requests. The vulnerability impacts versions 1.0.0 through 1.2.9 and is resolved in version 1.3.0.
The primary impact of CVE-2026-27949 is the potential exposure of personally identifiable information (PII), specifically user email addresses. An attacker could observe the URL when a user encounters an authentication error, such as an incorrect magic code. While the CVSS score is LOW, the exposure of PII raises privacy concerns and could be exploited for phishing or social engineering attacks. The vulnerability resides within the authentication utility module (packages/utils/src/auth.ts) of Plane, highlighting a design flaw in the error handling process. This is a classic example of insecure design, where sensitive data is inadvertently transmitted in a manner easily accessible to unauthorized parties.
CVE-2026-27949 is not currently listed on KEV or EPSS. The CVSS score of 2.0 indicates a low probability of exploitation. No public proof-of-concept (PoC) code has been released as of the publication date. The vulnerability was disclosed on 2026-04-07.
Organizations utilizing Plane for project management, particularly those with sensitive user data, are at risk. This includes teams relying on Plane for internal collaboration and those hosting Plane instances in shared environments where URL observation might be easier.
• nodejs / server:
find /opt/plane -path '*/packages/utils/src/auth.ts' -print• generic web:
curl -I 'https://your-plane-instance/auth?magic_code=invalid' | grep Emaildisclosure
Status do Exploit
EPSS
0.03% (percentil 10%)
CISA SSVC
Vetor CVSS
The recommended mitigation for CVE-2026-27949 is to immediately upgrade Plane to version 1.3.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out GET requests containing email addresses in the query parameters related to authentication. Additionally, review your application's logging practices to ensure that sensitive information like email addresses is not inadvertently logged in URLs. After upgrading, confirm the fix by attempting to trigger the authentication error flow and verifying that the email address is no longer present in the URL.
Actualice a la versión 1.3.0 o superior para evitar la exposición de la dirección de correo electrónico del usuario en la URL durante el manejo de errores. Esta actualización corrige la vulnerabilidad al evitar la inclusión de la dirección de correo electrónico en los parámetros de la URL.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-27949 is a vulnerability in Plane project management tool where email addresses are exposed in URLs during authentication errors, leading to potential PII disclosure.
Yes, if you are using Plane versions 1.0.0 through 1.2.9, you are affected by this vulnerability and should upgrade immediately.
Upgrade Plane to version 1.3.0 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround if upgrading isn't immediate.
As of the current date, there is no evidence of active exploitation of CVE-2026-27949, but the potential for exposure remains.
Refer to the official Plane project repository and release notes for details on CVE-2026-27949 and the corresponding fix.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.