Plane Authentication Email Exposure Vulnerability

A vulnerability in Plane's authentication process prior to version 1.3.0 allows for the exposure of user email addresses as query parameters in URLs during error handling. This issue arises when an invalid magic code is submitted, inadvertently transmitting personally identifiable information (PII) via GET request query strings, which is considered an insecure design practice. The vulnerability is located in the authentication utility module, specifically in packages/utils/src/auth.ts.

Impact

The inclusion of email addresses in URLs poses several risks of unintended disclosure. Query strings can be saved in browser history and may be logged by servers, proxies, CDNs, or load balancers. When users leave the error page, the full URL, including the email address, can be sent to external sites via the HTTP Referer header. This exposed information could be intercepted or cached by third-party analytics, click-tracking services, or mail client link prefetchers. Additionally, since the email serves as the user's login identifier, its exposure increases the risk of account takeover, especially when combined with credential reuse or compromised recovery channels. The persistent exposure of PII across logs and third-party systems may also raise compliance issues under privacy regulations like GDPR.

Remediation

Users can update to Plane version 1.3.0 or later to address this vulnerability.