Description
Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address is supplied to Add link by an authenticated attacker with low privileges. Redirects for the main page URL are validated, but not the favicon fetch path. fetch_and_encode_favicon() still uses requests.get(favicon_url, ...) with the default redirect-following. This vulnerability is fixed in 1.3.0.
Published: 2026-04-09
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery that can expose internal resources
Action: Apply Patch
AI Analysis

Impact

A recent vulnerability in Plane, an open‑source project management application, allows an authenticated attacker with low privileges to exploit an incomplete server‑side request forgery (SSRF) in the favicon fetching process. When an attacker adds a link element that redirects to a private IP via the Add link interface, the backend fetches the referenced favicon using a default HTTP client that follows redirects without validation. This means the server can be instructed to retrieve internal resources, providing read access to potentially sensitive data on internal networks. The flaw, classified as CWE‑918, permits the attacker to read arbitrary internal content as the Plane instance, resulting in confidentiality compromises.

Affected Systems

The issue affects Plane versions starting at 0.28.0 up to, but not including, 1.3.0. All installations of makeplane Plane within that range are vulnerable unless protected by additional network controls. Version 1.3.0 and later contain a fix that validates the favicon URL and blocks redirects to private addresses.

Risk and Exploitability

The CVSS base score is 7.7, indicating high severity. No EPSS score is publicly available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be authenticated but only with low privileges and to create a link that triggers the SSRF. If internal network defenses permit outbound requests and the application does not restrict target URLs, an attacker could read files, query internal services, or exfiltrate data. Given the lack of high complexity or privilege escalation, the risk is primarily exposure of internal resources; however, the potential impact is significant for sensitive infrastructure.

Generated by OpenCVE AI on April 9, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Plane to version 1.3.0 or newer to apply the fix.
  • If an immediate upgrade is not possible, block or restrict the Add link functionality for authenticated users with low privileges to prevent SSRF exploitation.
  • As a temporary measure, isolate the Plane server from internal networks or implement outbound firewall rules to deny connections to private IP ranges.

Generated by OpenCVE AI on April 9, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Plane
Plane plane
CPEs cpe:2.3:a:plane:plane:*:*:*:*:*:*:*:*
Vendors & Products Plane
Plane plane

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Makeplane
Makeplane plane
Vendors & Products Makeplane
Makeplane plane

Thu, 09 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address is supplied to Add link by an authenticated attacker with low privileges. Redirects for the main page URL are validated, but not the favicon fetch path. fetch_and_encode_favicon() still uses requests.get(favicon_url, ...) with the default redirect-following. This vulnerability is fixed in 1.3.0.
Title Plane has a Server-Side Request Forgery (SSRF) in Favicon Fetching
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Makeplane Plane
Plane Plane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T20:05:32.594Z

Reserved: 2026-04-07T19:13:20.377Z

Link: CVE-2026-39843

cve-icon Vulnrichment

Updated: 2026-04-13T20:05:29.218Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T16:16:31.087

Modified: 2026-04-17T20:08:53.647

Link: CVE-2026-39843

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:24Z

Weaknesses