CVE-2026-27706 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, discovered in the open-source project management tool Plane, maintained by makeplane. The vulnerability affects versions prior to 1.2.2 and resides in the "Add Link" feature, which improperly validates or restricts URLs submitted by authenticated users with general privileges. This flaw allows such users to craft arbitrary HTTP GET requests that the server executes internally, targeting internal network resources that are otherwise inaccessible externally. The server then returns the full response body to the attacker, enabling exfiltration of sensitive data from internal services, including cloud metadata endpoints commonly used in cloud environments to provide instance-specific information. The vulnerability has a CVSS v3.1 base score of 7.7, indicating high severity, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality with a scope change. The vulnerability does not affect integrity or availability but poses a significant risk of data exposure. The issue was publicly disclosed on February 25, 2026, and fixed in Plane version 1.2.2. No known exploits have been reported in the wild yet, but the potential for internal reconnaissance and data theft makes this a critical concern for affected deployments.

The primary impact of this SSRF vulnerability is the unauthorized disclosure of sensitive internal information. Attackers with general user privileges can leverage the flaw to access internal network services that are typically protected from external access, including cloud metadata services that may contain credentials or configuration data. This can lead to further compromise of the internal environment, lateral movement, or privilege escalation if attackers retrieve sensitive tokens or secrets. Organizations using Plane in cloud or internal network environments are at risk of data leakage, which can undermine confidentiality and trust. Although the vulnerability does not directly affect system integrity or availability, the exposure of sensitive data can have severe operational and reputational consequences. The scope of affected systems includes any organization running vulnerable versions of Plane, particularly those with sensitive internal services accessible from the Plane server. The requirement for authenticated access limits exploitation to insiders or compromised accounts but does not eliminate risk, especially in environments with weak access controls or credential management.

Organizations should immediately upgrade Plane to version 1.2.2 or later, where this SSRF vulnerability is fixed. Until upgrading, restrict access to the Plane application to trusted users only and enforce strong authentication and authorization controls to limit the number of users with access to the "Add Link" feature. Implement network segmentation and firewall rules to restrict the Plane server's ability to make arbitrary outbound requests to internal services and cloud metadata endpoints. Employ web application firewalls (WAFs) with SSRF detection capabilities to monitor and block suspicious request patterns. Conduct regular audits of user privileges and monitor logs for unusual internal request activity originating from the Plane server. Additionally, consider disabling or restricting the "Add Link" feature if it is not essential to reduce attack surface. Finally, educate users about the risks of SSRF and the importance of secure link handling within the application.