High severityNVD Advisory· Published Mar 6, 2026· Updated Mar 9, 2026
Plane: SSRF via Incomplete IP Validation in Webhook URL Serializer
CVE-2026-30242
Description
Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.). When webhook events fire, the server makes requests to these internal addresses and stores the response — enabling SSRF with full response read-back. This issue has been patched in version 1.2.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
planePyPI | < 1.2.3 | 1.2.3 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-fpx8-73gf-7x73ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30242ghsaADVISORY
- github.com/makeplane/plane/releases/tag/v1.2.3ghsax_refsource_MISCWEB
- github.com/makeplane/plane/security/advisories/GHSA-fpx8-73gf-7x73ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.