VYPR
Medium severity6.5NVD Advisory· Published Apr 7, 2026· Updated Apr 15, 2026

CVE-2026-39374

CVE-2026-39374

Description

Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member (ADMIN or MEMBER) to modify the start_date and target_date of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches issues by ID without filtering by workspace or project, enabling cross-boundary data modification. This vulnerability is fixed in 1.3.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1
  • cpe:2.3:a:plane:plane:*:*:*:*:*:*:*:*
    Range: <1.3.0

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.