High severityNVD Advisory· Published Mar 6, 2026· Updated Mar 9, 2026
Plane: Unauthenticated Workspace Member Information Disclosure
CVE-2026-30244
Description
Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints. This issue has been patched in version 1.2.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
planePyPI | >= 0 | — |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-87x4-j8vh-p5qfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30244ghsaADVISORY
- github.com/makeplane/plane/releases/tag/v1.2.2ghsax_refsource_MISCWEB
- github.com/makeplane/plane/security/advisories/GHSA-87x4-j8vh-p5qfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.