CVE-2026-27705

Medium CVSS: 4.9

Plane is an an open-source project management tool. Prior to version 1.2.2, the `ProjectAssetEndpoint.patch()` method in `apps/api/plane/app/views/asset/v2.py` (lines 579–593) performs a global asset lookup using only the asset ID (`pk`) via `FileAsset.objects.get(id=pk)`, without verifying that the asset belongs to the workspace and project specified in the URL path. This allows any authenticated user (including those with the GUEST role) to modify the `attributes` and `is_uploaded` status of assets belonging to any workspace or project in the entire Plane instance by guessing or enumerating asset UUIDs. Version 1.2.2 fixes the issue.

Vendor

Plane

Product

Plane

CWE

CWE-639

Yayın Tarihi

2026-02-25 17:25:39

Güncelleme

2026-02-27 17:37:38

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-639 Plane MEDIUM Plane 2026

Referanslar

https://github.com/makeplane/plane/commit/9070acbbe81bc02db5c169789da6862d5fc35d96 https://github.com/makeplane/plane/releases/tag/v1.2.2 https://github.com/makeplane/plane/security/advisories/GHSA-rfj3-8c85-g46j

Benzer Kayıtlar

High

CVE-2026-30242

Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/seri…

High

CVE-2026-30244

Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate work…

High

CVE-2026-27706

Plane is an an open-source project management tool. Prior to version 1.2.2, a Full Read Server-Side Request Forgery (SSR…

Medium

CVE-2025-69284

Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[…

Low

CVE-2025-48070

Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer tha…

Medium

CVE-2025-21616

Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane…