CVE-2026-27949
Insecure PII Exposure via URL in Plane Authentication
Publication date: 2026-04-07
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| plane | plane | to 1.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-598 | The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Plane open-source project management tool prior to version 1.3.0. It occurs in the authentication flow where a user's email address is included as a query parameter in the URL during error handling, such as when an invalid magic code is submitted.
Including personally identifiable information (PII) like an email address in URL query strings is considered an insecure design practice because URLs can be logged, cached, or exposed in ways that compromise user privacy.
The affected code is located in the authentication utility module (packages/utils/src/auth.ts), and this issue was fixed in Plane version 1.3.0.
How can this vulnerability impact me? :
This vulnerability can lead to the unintended exposure of users' email addresses through URLs, which may be logged in browser history, server logs, or third-party analytics tools.
Such exposure of personally identifiable information (PII) increases the risk of privacy breaches and could potentially be exploited for phishing or other social engineering attacks.
However, the CVSS base score is 2.0, indicating a low severity impact with limited confidentiality impact and no integrity or availability impact.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Plane to version 1.3.0 or later, where the issue with transmitting email addresses in URL query parameters during authentication error handling has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability involves transmitting personally identifiable information (PII), specifically a user's email address, via GET request query strings during error handling in the authentication flow. Such insecure design practices can lead to exposure of PII, which may conflict with compliance requirements under regulations like GDPR and HIPAA that mandate protection of personal data.
By exposing PII in URLs, this vulnerability increases the risk of unauthorized disclosure, potentially violating data protection principles such as data minimization and confidentiality required by these standards.
The issue is fixed in version 1.3.0 of Plane, which would help restore compliance by preventing PII exposure in URLs.