VYPR
Unrated severityNVD Advisory· Published Feb 25, 2026· Updated Feb 25, 2026

Plane Vulnerable to Cross-Workspace/Cross-Project Asset Modification via IDOR in ProjectAssetEndpoint.patch

CVE-2026-27705

Description

Plane is an an open-source project management tool. Prior to version 1.2.2, the ProjectAssetEndpoint.patch() method in apps/api/plane/app/views/asset/v2.py (lines 579–593) performs a global asset lookup using only the asset ID (pk) via FileAsset.objects.get(id=pk), without verifying that the asset belongs to the workspace and project specified in the URL path. This allows any authenticated user (including those with the GUEST role) to modify the attributes and is_uploaded status of assets belonging to any workspace or project in the entire Plane instance by guessing or enumerating asset UUIDs. Version 1.2.2 fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Plane/Planellm-fuzzy2 versions
    <1.2.2+ 1 more
    • (no CPE)range: <1.2.2
    • (no CPE)range: < 1.2.2

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.