CVE-2026-30244

Published: Mar 6, 2026Modified: Mar 10, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints. This issue has been patched in version 1.2.2.

Affected (1)

Products: Plane: Plane

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Plane Plane	Before 1.2.2

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (2)

https://github.com/makeplane/plane/releases/tag/v1.2.2

Source: security-advisories@github.com

Release Notes

https://github.com/makeplane/plane/security/advisories/GHSA-87x4-j8vh-p5qf

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.