Vulnerability Description
Plane is an an open-source project management tool. Prior to version 1.2.2, a Full Read Server-Side Request Forgery (SSRF) vulnerability has been identified in the "Add Link" feature. This flaw allows an authenticated attacker with general user privileges to send arbitrary GET requests to the internal network and exfiltrate the full response body. By exploiting this vulnerability, an attacker can steal sensitive data from internal services and cloud metadata endpoints. Version 1.2.2 fixes the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Plane | Plane | < 1.2.2 |
Related Weaknesses (CWE)
References
- https://github.com/makeplane/plane/releases/tag/v1.2.2ProductRelease Notes
- https://github.com/makeplane/plane/security/advisories/GHSA-jcc6-f9v6-f7jwVendor Advisory
FAQ
What is CVE-2026-27706?
CVE-2026-27706 is a vulnerability with a CVSS score of 7.7 (HIGH). Plane is an an open-source project management tool. Prior to version 1.2.2, a Full Read Server-Side Request Forgery (SSRF) vulnerability has been identified in the "Add Link" feature. This flaw allows...
How severe is CVE-2026-27706?
CVE-2026-27706 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27706?
Check the references section above for vendor advisories and patch information. Affected products include: Plane Plane.