Executive Summary

CVE-2026-39843 is a Server-Side Request Forgery (SSRF) vulnerability in the open-source project management tool Plane, affecting versions from 0.28.0 up to but not including 1.3.0.

The vulnerability occurs because the application does not properly validate redirects when fetching the favicon URL specified in an HTML page's link tag. While redirects for the main page URL are checked, the favicon fetch path uses a function that follows redirects by default without validation.

An authenticated attacker with low privileges can supply an HTML page containing a link tag with a favicon URL that redirects to a private IP address. When this URL is added via the "Add link" feature, the server fetches the favicon, follows the redirect, and retrieves content from the internal network.

This fetched content is then base64-encoded and exposed in the favicon parameter of an API endpoint response, allowing the attacker to read internal network data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with low privileges to perform a full read Server-Side Request Forgery (SSRF) attack.

By exploiting the vulnerability, the attacker can cause the server to fetch and expose data from internal or private network resources that are normally inaccessible from outside.

This can lead to unauthorized data disclosure and potential information leakage from internal systems.

The CVSS v3.1 base score is 7.7 (High), indicating a significant security risk with low attack complexity and no user interaction required.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to reproduce the Server-Side Request Forgery (SSRF) exploit as described in the proof of concept (PoC).

• Host a publicly accessible HTML page containing a <link rel="icon" href="..."> tag where the href URL redirects to a private IP address.
• Use the application's "Add link" feature to add the URL of this HTML page.
• After some time, query the issues API endpoint, for example: curl -X GET "http://localhost/api/workspaces/[SLUG]/projects/[ID]/issues/[ID]/?expand=issue_reactions,issue_attachments,issue_link,parent"

If the response contains a base64-encoded favicon parameter with content fetched from the private IP, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Plane application to version 1.3.0 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict access to the application to trusted users only, as exploitation requires authenticated low-privilege access.

Additionally, monitor and audit the URLs added via the "Add link" feature to detect any suspicious favicon URLs that may redirect to private IP addresses.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to perform a full read Server-Side Request Forgery (SSRF) attack, which can lead to unauthorized data exfiltration from internal networks.

Such unauthorized access and potential data leakage could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive and personal data against unauthorized access and breaches.

However, the provided information does not explicitly describe the direct effects on compliance with these standards.

Useful 0 Not Useful 0