{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27949", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:11:36.690Z", "datePublished": "2026-04-07T20:26:25.810Z", "dateUpdated": "2026-04-08T15:48:53.893Z"}, "containers": {"cna": {"title": "Plane Exposes User Email (PII and part of credential) in GET Parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-598", "lang": "en", "description": "CWE-598: Use of GET Request Method With Sensitive Query Strings", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/makeplane/plane/security/advisories/GHSA-8rvg-7w43-p2w2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/makeplane/plane/security/advisories/GHSA-8rvg-7w43-p2w2"}], "affected": [{"vendor": "makeplane", "product": "plane", "versions": [{"version": "< 1.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T20:26:25.810Z"}, "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling (e.g., when an invalid magic code is submitted). Transmitting personally identifiable information (PII) via GET request query strings is classified as an insecure design practice. The affected code path is located in the authentication utility module (packages/utils/src/auth.ts). This vulnerability is fixed in 1.3.0."}], "source": {"advisory": "GHSA-8rvg-7w43-p2w2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:48:46.131247Z", "id": "CVE-2026-27949", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:48:53.893Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27949", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:11:36.690Z", "datePublished": "2026-04-07T20:26:25.810Z", "dateUpdated": "2026-04-08T15:48:53.893Z"}, "containers": {"cna": {"title": "Plane Exposes User Email (PII and part of credential) in GET Parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-598", "lang": "en", "description": "CWE-598: Use of GET Request Method With Sensitive Query Strings", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/makeplane/plane/security/advisories/GHSA-8rvg-7w43-p2w2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/makeplane/plane/security/advisories/GHSA-8rvg-7w43-p2w2"}], "affected": [{"vendor": "makeplane", "product": "plane", "versions": [{"version": "< 1.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T20:26:25.810Z"}, "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling (e.g., when an invalid magic code is submitted). Transmitting personally identifiable information (PII) via GET request query strings is classified as an insecure design practice. The affected code path is located in the authentication utility module (packages/utils/src/auth.ts). This vulnerability is fixed in 1.3.0."}], "source": {"advisory": "GHSA-8rvg-7w43-p2w2", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27949", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:48:46.131247Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:48:49.572Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling (e.g., when an invalid magic code is submitted). Transmitting personally identifiable information (PII) via GET request query strings is classified as an insecure design practice. The affected code path is located in the authentication utility module (packages/utils/src/auth.ts). This vulnerability is fixed in 1.3.0."}], "id": "CVE-2026-27949", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T21:17:15.400", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/makeplane/plane/security/advisories/GHSA-8rvg-7w43-p2w2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-598"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "plane", "source": "cna", "vendor": "makeplane"}, "product": "plane", "vendor": "makeplane"}], "analysis": {"en": {"generated_at": "2026-04-07T21:53:04.870473+00:00", "value": {"mitigation_remediation": ["Upgrade to Plane version\u202f1.3.0 or newer to eliminate the query\u2011string exposure", "Verify that future deployments do not expose email addresses in URLs during authentication error handling", "Restrict logging of full request URLs in production logs to avoid leaking PII", "Consider a temporary workaround by configuring the application to use POST parameters for error messages until a patch is applied"], "summary": {"action": "Update", "impact": "Information disclosure via GET parameter"}, "threat_synthesis": {"affected_systems": "The issue affects installations of the open\u2011source project management tool Plane provided by makeplane:plane. All releases prior to version\u202f1.3.0 are vulnerable; the defect was addressed in the 1.3.0 update. Users running an earlier release should be aware that their email addresses may appear in URLs during error handling paths.", "description_and_impact": "A flaw in Plane's authentication logic causes a user's email address to be placed in the query string of a URL when an error occurs, such as when an invalid magic code is submitted. Because the email is visible in the URL, anyone who can observe that request\u2014whether by intercepting network traffic, reviewing browser history, or analyzing logs\u2014can retrieve a piece of personally identifiable information. The vulnerability is an example of insecure design related to exposure of PII in query strings and does not provide any means to execute code or alter data. It is a low\u2011severity information\u2011disclosure issue classified under CWE\u2011200 and CWE\u2011598.", "risk_and_exploitability": "The CVSS base score of 2.0 reflects a low severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker must trigger an authentication error with a valid email address in order to see the exposed value in the URL; this typically requires an active session or interaction with the target application. Because the data is transmitted in plain text, it can be captured by an eavesdropper on the network or someone reviewing server logs, but the vulnerability does not grant access to additional account data or system control."}}}}, "created": "2026-04-08T19:34:18.793729+00:00", "updated": "2026-04-08T19:45:47.663477+00:00", "vendors": ["makeplane", "makeplane$PRODUCT$plane"]}