Insecure Design in Plane Project Management Tool by MakePlane
CVE-2026-27949

2LOW

Key Information:

Vendor: Makeplane
Status: Plane
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-27949?

A security flaw in the Plane project management tool prior to version 1.3.0 allows user email addresses to be transmitted as a query parameter during authentication error handling. This practice raises concerns as it exposes personally identifiable information (PII) through GET request query strings, highlighting an insecure design approach in the software’s authentication flow. This vulnerability has been addressed in version 1.3.0.

Affected Version(s)

plane < 1.3.0

References

https://github.com/makeplane/plane/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Feb 25, 2026

CVE-2026-27949 Data

JSON

Makeplane

What is CVE-2026-27949?

Affected Version(s)

References

CVSS V3.1

Timeline