CVE-2026-27949
Received Received - Intake
Insecure PII Exposure via URL in Plane Authentication

Publication date: 2026-04-07

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling (e.g., when an invalid magic code is submitted). Transmitting personally identifiable information (PII) via GET request query strings is classified as an insecure design practice. The affected code path is located in the authentication utility module (packages/utils/src/auth.ts). This vulnerability is fixed in 1.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27949
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
plane plane to 1.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-598 The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Plane open-source project management tool prior to version 1.3.0. It occurs in the authentication flow where a user's email address is included as a query parameter in the URL during error handling, such as when an invalid magic code is submitted.

Including personally identifiable information (PII) like an email address in URL query strings is considered an insecure design practice because URLs can be logged, cached, or exposed in ways that compromise user privacy.

The affected code is located in the authentication utility module (packages/utils/src/auth.ts), and this issue was fixed in Plane version 1.3.0.

Impact Analysis

This vulnerability can lead to the unintended exposure of users' email addresses through URLs, which may be logged in browser history, server logs, or third-party analytics tools.

Such exposure of personally identifiable information (PII) increases the risk of privacy breaches and could potentially be exploited for phishing or other social engineering attacks.

However, the CVSS base score is 2.0, indicating a low severity impact with limited confidentiality impact and no integrity or availability impact.

Mitigation Strategies

To mitigate this vulnerability, upgrade Plane to version 1.3.0 or later, where the issue with transmitting email addresses in URL query parameters during authentication error handling has been fixed.

Compliance Impact

This vulnerability involves transmitting personally identifiable information (PII), specifically a user's email address, via GET request query strings during error handling in the authentication flow. Such insecure design practices can lead to exposure of PII, which may conflict with compliance requirements under regulations like GDPR and HIPAA that mandate protection of personal data.

By exposing PII in URLs, this vulnerability increases the risk of unauthorized disclosure, potentially violating data protection principles such as data minimization and confidentiality required by these standards.

The issue is fixed in version 1.3.0 of Plane, which would help restore compliance by preventing PII exposure in URLs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27949. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart