CVE-2026-30244

High CVSS: 7.5

Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints. This issue has been patched in version 1.2.2.

Vendor

Plane

Product

Plane

CWE

CWE-200

Yayın Tarihi

2026-03-06 22:16:01

Güncelleme

2026-03-10 16:23:32

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-200 Plane HIGH Plane 2026

Referanslar

https://github.com/makeplane/plane/releases/tag/v1.2.2 https://github.com/makeplane/plane/security/advisories/GHSA-87x4-j8vh-p5qf

Benzer Kayıtlar

High

CVE-2026-30242

Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/seri…

Medium

CVE-2026-27705

Plane is an an open-source project management tool. Prior to version 1.2.2, the `ProjectAssetEndpoint.patch()` method in…

High

CVE-2026-27706

Plane is an an open-source project management tool. Prior to version 1.2.2, a Full Read Server-Side Request Forgery (SSR…

Medium

CVE-2025-69284

Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[…

Low

CVE-2025-48070

Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer tha…

Medium

CVE-2025-21616

Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane…