How is CVE-2026-46558 exploited?

Network reachability (required): The attacker must reach the Plane service over the network; the vulnerability is exposed via standard HTTP endpoints with no requirement for local or physical access. Authentication (required): Any low-privilege Plane account is sufficient; the attacker does not need administrator or workspace-owner credentials, just a valid login. Victim interaction (not-required): No action from another user or workspace member is needed; the attacker can execute the bypass entirely on their own. Attack complexity (info): Exploitation is straightforward and condition-free, requiring no race conditions, memory layout knowledge, or environmental prerequisites.

What is the impact of CVE-2026-46558?

Reads file assets (attachments, uploads, media) stored in workspaces the attacker has no legitimate access to, disclosing potentially sensitive project data. Copies assets out of foreign workspaces, enabling exfiltration of documents or attachments from any workspace on the same Plane instance. Deletes assets in other workspaces, causing permanent data loss for projects and issues the attacker cannot normally touch. Overwrites assets in other workspaces with arbitrary content, allowing tampering with attachments, documentation, or other stored files.

Back to search

HIGHCVE-2026-46558Published 2026-06-10Modified 2026-06-10CNA GitHub_M

CVE-2026-46558: Plane: Cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces

Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1.

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authorization bypass vulnerability in Plane, the open-source project management tool, allows any authenticated user to access and manipulate file assets belonging to other workspaces they have no permission to access. The vulnerability is reachable over the network and requires only a low-privilege account (no admin rights needed), with no victim interaction required. Successful exploitation gives an attacker the ability to read, copy, delete, and overwrite assets across workspace boundaries. A patched-image rebuild at version 1.3.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-46558 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images derived from the makeplane/plane base. Coverage applies to both registry scans and inline pipeline checks.

Available

Triage

HarborGuard scores this CVE at CVSS 8.3 (HIGH) and weighs it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Plane version 1.3.1 becomes available on HarborGuard once the upstream fix is confirmed, ready for deployment in affected environments. For customers who opt into auto-remediation, the flow includes a full image rebuild, a regression-test run, and a PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Plane service over the network; the vulnerability is exposed via standard HTTP endpoints with no requirement for local or physical access.
AuthenticationRequired
Any low-privilege Plane account is sufficient; the attacker does not need administrator or workspace-owner credentials, just a valid login.
Victim interactionNot required
No action from another user or workspace member is needed; the attacker can execute the bypass entirely on their own.
Attack complexityDetail
Exploitation is straightforward and condition-free, requiring no race conditions, memory layout knowledge, or environmental prerequisites.

Blast Radius

Reads file assets (attachments, uploads, media) stored in workspaces the attacker has no legitimate access to, disclosing potentially sensitive project data.
Copies assets out of foreign workspaces, enabling exfiltration of documents or attachments from any workspace on the same Plane instance.
Deletes assets in other workspaces, causing permanent data loss for projects and issues the attacker cannot normally touch.
Overwrites assets in other workspaces with arbitrary content, allowing tampering with attachments, documentation, or other stored files.

How HarborGuard Handles This

Available on HarborGuard: images running a Plane version below 1.3.1 are flagged as affected, and a patched-image rebuild at version 1.3.1 is available for deployment. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at the fix version, runs a regression suite against the new image, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review before merge, the rebuild and test results are surfaced in the findings inbox for human approval. Because no compensating patch exists below 1.3.1, customers who cannot upgrade immediately should consider applying network policy to restrict Plane asset endpoints to authenticated, workspace-scoped identities only, and review egress filtering to limit lateral data movement.

See how HarborGuard automates this

Affected packages

makeplane / plane
< 1.3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

References

Metrics

Get notified