Summary
A vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling (e.g., when an invalid magic code is submitted). Transmitting personally identifiable information (PII) via GET request query strings is classified as an insecure design practice under CWE-598 and CWE-200.
The affected code path is located in the authentication utility module (packages/utils/src/auth.ts).
Impact
Embedding user email addresses in URLs creates multiple avenues for unintended disclosure. Query strings are persisted in browser history, and may be captured in server, proxy, CDN, or load-balancer access logs. When users navigate away from the error page, the full URL — including the email — can be transmitted to external sites via the HTTP Referer header. Third-party analytics, click-tracking services, and mail client link prefetchers may also receive or cache the exposed address.
Because the email also serves as the user's login identifier, its exposure elevates account-takeover risk when combined with credential reuse or compromised recovery channels. Additionally, uncontrolled persistence of PII across logs and third-party systems may present compliance concerns under privacy regulations such as GDPR.References
CWE-598: Information Exposure Through Query Strings in GET Request
CAPEC-37: Retrieve Embedded Sensitive Data
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor https://cwe.mitre.org/data/definitions/200.html
Credits
This vulnerability was responsibly disclosed by an independent security researcher @mbiesiad . We thank them for their contribution to the security of the Plane platform.
mbiesiad Reporter
Summary
A vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling (e.g., when an invalid magic code is submitted). Transmitting personally identifiable information (PII) via GET request query strings is classified as an insecure design practice under CWE-598 and CWE-200.
The affected code path is located in the authentication utility module (packages/utils/src/auth.ts).
Impact
Embedding user email addresses in URLs creates multiple avenues for unintended disclosure. Query strings are persisted in browser history, and may be captured in server, proxy, CDN, or load-balancer access logs. When users navigate away from the error page, the full URL — including the email — can be transmitted to external sites via the HTTP Referer header. Third-party analytics, click-tracking services, and mail client link prefetchers may also receive or cache the exposed address.
Because the email also serves as the user's login identifier, its exposure elevates account-takeover risk when combined with credential reuse or compromised recovery channels. Additionally, uncontrolled persistence of PII across logs and third-party systems may present compliance concerns under privacy regulations such as GDPR.References
CWE-598: Information Exposure Through Query Strings in GET Request
CAPEC-37: Retrieve Embedded Sensitive Data
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor https://cwe.mitre.org/data/definitions/200.html
Credits
This vulnerability was responsibly disclosed by an independent security researcher @mbiesiad . We thank them for their contribution to the security of the Plane platform.