HIGHCVE-2026-30244Published 2026-03-06Modified 2026-03-09CNA GitHub_M

CVE-2026-30244: Plane: Unauthenticated Workspace Member Information Disclosure

Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints. This issue has been patched in version 1.2.2.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

makeplane / plane
< 1.2.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

https://github.com/makeplane/plane/security/advisories/GHSA-87x4-j8vh-p5qf
https://github.com/makeplane/plane/releases/tag/v1.2.2

Metrics