CVE-2026-27949
Plane Exposes User Email (PII and part of credential) in GET Parameter
CVSS Score
2.0
EPSS Score
0.0%
EPSS Percentile
9th
Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling (e.g., when an invalid magic code is submitted). Transmitting personally identifiable information (PII) via GET request query strings is classified as an insecure design practice. The affected code path is located in the authentication utility module (packages/utils/src/auth.ts). This vulnerability is fixed in 1.3.0.
| CWE | CWE-200 CWE-598 |
| Vendor | makeplane |
| Product | plane |
| Published | Apr 7, 2026 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for makeplane plane
Be the first to know when new low vulnerabilities affecting makeplane plane are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
makeplane / plane
< 1.3.0