Description
Plane is an an open-source project management tool. Prior to version 1.2.2, the `ProjectAssetEndpoint.patch()` method in `apps/api/plane/app/views/asset/v2.py` (lines 579–593) performs a global asset lookup using only the asset ID (`pk`) via `FileAsset.objects.get(id=pk)`, without verifying that the asset belongs to the workspace and project specified in the URL path. This allows any authenticated user (including those with the GUEST role) to modify the `attributes` and `is_uploaded` status of assets belonging to any workspace or project in the entire Plane instance by guessing or enumerating asset UUIDs. Version 1.2.2 fixes the issue.
Published: 2026-02-25
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Asset Modification Across Workspaces
Action: Apply Update
AI Analysis

Impact

The flaw resides in the ProjectAssetEndpoint.patch method, which performs a global lookup of assets by ID without verifying workspace or project membership. This allows any authenticated user, even those with a minimal GUEST role, to modify the attributes and is_uploaded status of any asset in the Plane instance by guessing or enumeration of UUIDs. The primary impact is unauthorized modification of assets across workspaces and projects, potentially undermining data integrity.

Affected Systems

The affected system is the open-source Plane project management tool developed by Makeplane. All releases before v1.2.2 are impacted, as the asset lookup logic was not gated by workspace or project consistency until that version. Any Plane deployment running 1.0.x, 1.1.x, or 1.2.1 is vulnerable.

Risk and Exploitability

The CVSS score is 4.9, classifying the risk as moderate. The EPSS value is below 1%, indicating low predicted exploitation frequency. The vulnerability is officially not listed in the CISA KEV catalog, but because the exploit requires only an authenticated session and can be performed without advanced reconnaissance, the threat remains tangible. Attackers can exercise the flaw by sending a PATCH request to the asset endpoint with a guessed or enumerated asset ID, resulting in uncontrolled data modification.

Generated by OpenCVE AI on April 17, 2026 at 15:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Plane to version 1.2.2 or later, which removes the global lookup and enforces workspace‑project checks.
  • Revoke or restrict the GUEST role so that only users with sufficient privileges can perform asset modifications.
  • Implement or verify that asset patch operations include explicit checks that the asset belongs to the specified workspace and project, thereby enforcing proper authorization.

Generated by OpenCVE AI on April 17, 2026 at 15:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Plane
Plane plane
CPEs cpe:2.3:a:plane:plane:*:*:*:*:*:*:*:*
Vendors & Products Plane
Plane plane
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Makeplane
Makeplane plane
Vendors & Products Makeplane
Makeplane plane

Wed, 25 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description Plane is an an open-source project management tool. Prior to version 1.2.2, the `ProjectAssetEndpoint.patch()` method in `apps/api/plane/app/views/asset/v2.py` (lines 579–593) performs a global asset lookup using only the asset ID (`pk`) via `FileAsset.objects.get(id=pk)`, without verifying that the asset belongs to the workspace and project specified in the URL path. This allows any authenticated user (including those with the GUEST role) to modify the `attributes` and `is_uploaded` status of assets belonging to any workspace or project in the entire Plane instance by guessing or enumerating asset UUIDs. Version 1.2.2 fixes the issue.
Title Plane Vulnerable to Cross-Workspace/Cross-Project Asset Modification via IDOR in ProjectAssetEndpoint.patch
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Makeplane Plane
Plane Plane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T20:10:06.766Z

Reserved: 2026-02-23T17:56:51.202Z

Link: CVE-2026-27705

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T17:25:39.573

Modified: 2026-02-27T17:37:38.557

Link: CVE-2026-27705

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses