CVE-2026-30244 - Vulnerability Details

- Plane: Unauthenticated Workspace Member Information Disclosure

Description

Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints. This issue has been patched in version 1.2.2.

Published: 2026-03-06

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw allows anyone with network access to the Plane API to enumerate members of any workspace without credentials. By sending unauthenticated requests to protected endpoints, an attacker obtains email addresses, roles, and internal identifiers. This violation of confidentiality is classified as information exposure (CWE‑200) and improper authorization (CWE‑284). The data exposed could be used for phishing, account takeover, or internal auditing breaches.

Affected Systems

Organizations running versions of Plane older than 1.2.2 are affected. The vulnerability exists in the open‑source project management tool released by MakePlane. Deployments that have not applied the 1.2.2 release are vulnerable. The issue is present in all installations of the affected product, regardless of environment, as the API permissions are globally misconfigured.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity with medium risk. The EPSS score is less than 1%, implying that exploitation attempts in the wild are currently rare. The vulnerability is not on CISA’s KEV list. Because no authentication is required, any external actor can send crafted API requests to list workspace members. The attack path is straightforward: open connection to the Plane server, issue standard API calls, and receive the payload. Once the sensitive user data is obtained, the attacker has a foothold for further attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

makeplane

plane

affected

Version	Status	Constraints
`< 1.2.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:plane:plane:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Makeplane

Plane

100%

Version	Status	Scheme	Platform
`[0,1.2.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Plane to version 1.2.2 or later.
Reconfigure Django REST Framework permission classes so that all member‑related endpoints require authenticated access.
Review the API response schemas to ensure that email addresses, roles, and identifiers are only included for authorized users.

Generated by OpenCVE AI on April 16, 2026 at 11:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-87x4-j8vh-p5qf	Plane is Vulnerable to Unauthenticated Workspace Member Information Disclosure

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/makeplane/plane/releases/tag/v1.2.2
https://github.com/makeplane/plane/security/advisories/GHSA-87x4-j8vh-p5qf

History

Tue, 10 Mar 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Plane Plane plane
CPEs		cpe:2.3:a:plane:plane::::::::
Vendors & Products		Plane Plane plane

Mon, 09 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Makeplane Makeplane plane
Vendors & Products		Makeplane Makeplane plane

Fri, 06 Mar 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints. This issue has been patched in version 1.2.2.
Title		Plane: Unauthenticated Workspace Member Information Disclosure
Weaknesses		CWE-200 CWE-284
References		https://github.com/makeplane/plane/releases/tag/v1.2.2 https://github.com/makeplane/plane/security/advisories/GHSA-87x4-j8vh-p5qf
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Makeplane Plane

Plane Plane

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-06T21:19:12.962Z

Updated: 2026-03-09T20:54:28.297Z

Reserved: 2026-03-04T17:23:59.799Z

Link: CVE-2026-30244

Vulnrichment

Updated: 2026-03-09T20:47:24.233Z

NVD

Status : Analyzed

Published: 2026-03-06T22:16:01.900

Modified: 2026-03-10T16:23:32.280

Link: CVE-2026-30244

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object