CVE-2026-27706
📋 TL;DR
Plane project management tool versions before 1.2.2 contain a Full Read SSRF vulnerability in the 'Add Link' feature. Authenticated users can send arbitrary GET requests to internal networks and exfiltrate complete response data, potentially accessing sensitive internal services and cloud metadata. All Plane deployments running vulnerable versions are affected.
💻 Affected Systems
- Plane
📦 What is this software?
Plane by Plane
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains access to cloud metadata endpoints (AWS/Azure/GCP), steals credentials, accesses internal databases, or pivots to other internal systems, potentially leading to full network compromise.
Likely Case
Attacker exfiltrates sensitive data from internal services accessible from the Plane server, including internal APIs, databases, or management interfaces.
If Mitigated
With proper network segmentation and egress filtering, impact is limited to services within the same network segment as the Plane server.
🎯 Exploit Status
Exploitation is straightforward for authenticated users; SSRF attacks are well-documented and easy to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.2
Vendor Advisory: https://github.com/makeplane/plane/security/advisories/GHSA-jcc6-f9v6-f7jw
Restart Required: Yes
Instructions:
1. Backup your Plane instance and database. 2. Update to version 1.2.2 using your deployment method (Docker, Kubernetes, manual). 3. Restart the Plane service. 4. Verify the update by checking the version.
🔧 Temporary Workarounds
Disable Add Link Feature
allTemporarily disable or restrict access to the 'Add Link' functionality in Plane's interface or configuration.
Network Egress Filtering
allImplement firewall rules to restrict outbound HTTP/HTTPS traffic from the Plane server to only necessary external services.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Plane server from sensitive internal services.
- Apply rate limiting and monitoring on the 'Add Link' endpoint to detect suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check if your Plane version is below 1.2.2. If using Docker: docker inspect plane | grep version. If using manual install: check package.json or admin panel.Check Version:
docker inspect plane | grep version 2>/dev/null || grep '"version"' package.json 2>/dev/null || echo 'Check admin panel'Verify Fix Applied:
Confirm version is 1.2.2 or higher. Test the 'Add Link' feature with internal URLs to ensure they are blocked or validated.📡 Detection & Monitoring
Log Indicators:
- Unusual 'Add Link' requests with internal IPs or metadata endpoints
- Multiple failed link validation attempts
- Outbound requests from Plane to internal services
Network Indicators:
- HTTP requests from Plane server to internal IP ranges (10.x, 172.16-31.x, 192.168.x)
- Requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal)
SIEM Query:
source="plane" AND (url="*169.254.169.254*" OR url="*metadata.google.internal*" OR url="*10.*" OR url="*192.168.*" OR url="*172.16.*" OR url="*172.17.*" OR url="*172.18.*" OR url="*172.19.*" OR url="*172.20.*" OR url="*172.21.*" OR url="*172.22.*" OR url="*172.23.*" OR url="*172.24.*" OR url="*172.25.*" OR url="*172.26.*" OR url="*172.27.*" OR url="*172.28.*" OR url="*172.29.*" OR url="*172.30.*" OR url="*172.31.*")