Unrated severityOSV Advisory· Published Jan 2, 2026· Updated Jan 5, 2026
In plane.io, a Guest User to a Workspace can still be able to see list of members
CVE-2025-69284
Description
Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the /api/workspaces/:slug/members/ is accessible by guest and able to list of users on a specific workspace that they joined. Since the display_name in the response is actually the handler of the email, a malicious guest can still identify admin users' email addresses. Version 1.2.0 fixes this issue.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/makeplane/plane/security/advisories/GHSA-7qx6-6739-c7qrmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.