CVE-2026-27949

Name of the Vulnerable Software and Affected Versions Plane versions prior to 1.3.0

Description A security issue exists in Plane's authentication process. The email address of a user is included as a query parameter in the URL during error handling, such as when an invalid magic code is submitted. This practice of transmitting personally identifiable information (PII) via GET request query strings is considered an insecure design. The vulnerable code is located in the authentication utility module (packages/utils/src/auth.ts).

Recommendations Update to version 1.3.0 or later.