CVE-2026-27706
Published: 25 February 2026
Summary
CVE-2026-27706 is a high-severity SSRF (CWE-918) vulnerability in Plane Plane. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates and sanitizes user-supplied URLs in the 'Add Link' feature to prevent the server from making arbitrary requests to internal endpoints.
Enforces information flow control policies to restrict the application's ability to initiate connections to unauthorized internal network resources.
Implements boundary protection mechanisms to monitor and block unauthorized outbound requests from the application server to internal services and cloud metadata endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing web app directly enables T1190 exploitation; arbitrary internal GETs and explicit cloud metadata access enable T1522 discovery and T1552.005 credential theft from instance metadata.
NVD Description
Plane is an an open-source project management tool. Prior to version 1.2.2, a Full Read Server-Side Request Forgery (SSRF) vulnerability has been identified in the "Add Link" feature. This flaw allows an authenticated attacker with general user privileges to send…
more
arbitrary GET requests to the internal network and exfiltrate the full response body. By exploiting this vulnerability, an attacker can steal sensitive data from internal services and cloud metadata endpoints. Version 1.2.2 fixes the issue.
Deeper analysisAI
CVE-2026-27706 is a Full Read Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the open-source project management tool Plane prior to version 1.2.2. The flaw resides in the "Add Link" feature, enabling attackers to bypass network restrictions and make arbitrary GET requests from the server to internal endpoints. It carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), highlighting high confidentiality impact with changed scope.
An authenticated attacker possessing general user privileges can exploit this vulnerability remotely without user interaction. By crafting malicious links in the "Add Link" feature, they can direct the Plane server to fetch resources from internal networks, exfiltrating the full response body. This allows theft of sensitive data from internal services or cloud metadata endpoints, such as instance metadata in cloud environments.
The official mitigation is to upgrade to Plane version 1.2.2, which addresses the issue. Details are available in the GitHub security advisory (GHSA-jcc6-f9v6-f7jw) and the release notes for v1.2.2.
Details
- CWE(s)