Description
Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.). When webhook events fire, the server makes requests to these internal addresses and stores the response — enabling SSRF with full response read-back. This issue has been patched in version 1.2.3.
Published: 2026-03-06
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Server‑Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

The flaw lies in Plane’s webhook URL validation, which only checks for loopback addresses and ignores private IP ranges. An attacker with workspace‑admin privileges can create a webhook that points to an internal address such as 10.x.x.x or 192.168.x.x. When the webhook is triggered, the Plane server performs an HTTP request to that address and stores the response, giving the attacker full read access to any internal resource reachable from the Plane host. This is a high‑severity SSRF flaw, classified as CWE‑918, and allows confidential data exposure. Based on the description, it is inferred that further lateral movement inside the internal network could be possible.

Affected Systems

Plane versions earlier than 1.2.3, including all releases 1.2.2 and below, are vulnerable. The issue is present in the open‑source Project Management tool developed by makeplane under the makeplane:plane vendor.

Risk and Exploitability

The CVSS score is 8.5, indicating a high impact. The EPSS score is reported as less than 1%, suggesting a low likelihood of exploitation at present, and the vulnerability has not been listed in CISA’s KEV catalog. However, any workspace with an admin user who can create webhooks can exploit the vulnerability to read internal network data whenever the webhook is triggered. The attack vector is straightforward: authenticated admin user, set invalid URL, and trigger a webhook event to harvest responses.

Generated by OpenCVE AI on April 18, 2026 at 09:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Plane 1.2.3 update or later to fix the validation error
  • Revoke or limit workspace‑admin roles to only trusted individuals who need webhook creation capabilities
  • Configure network controls or firewall rules to block outbound traffic from the Plane server to private or internal IP ranges, reducing the potential impact of remaining SSRF attempts

Generated by OpenCVE AI on April 18, 2026 at 09:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fpx8-73gf-7x73 Plane has SSRF via Incomplete IP Validation in Webhook URL Serializer
History

Tue, 10 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Plane
Plane plane
CPEs cpe:2.3:a:plane:plane:*:*:*:*:*:*:*:*
Vendors & Products Plane
Plane plane

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Makeplane
Makeplane plane
Vendors & Products Makeplane
Makeplane plane

Fri, 06 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.). When webhook events fire, the server makes requests to these internal addresses and stores the response — enabling SSRF with full response read-back. This issue has been patched in version 1.2.3.
Title Plane: SSRF via Incomplete IP Validation in Webhook URL Serializer
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Makeplane Plane
Plane Plane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:54:28.052Z

Reserved: 2026-03-04T17:23:59.799Z

Link: CVE-2026-30242

cve-icon Vulnrichment

Updated: 2026-03-09T20:47:22.160Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T22:16:01.740

Modified: 2026-03-10T16:17:24.730

Link: CVE-2026-30242

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses