High severityNVD Advisory· Published Mar 6, 2026· Updated Mar 9, 2026
Plane: Unauthenticated Workspace Member Information Disclosure
CVE-2026-30244
Description
Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints. This issue has been patched in version 1.2.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
planePyPI | >= 0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-87x4-j8vh-p5qfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30244ghsaADVISORY
- github.com/makeplane/plane/releases/tag/v1.2.2ghsax_refsource_MISCWEB
- github.com/makeplane/plane/security/advisories/GHSA-87x4-j8vh-p5qfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.