Description
Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member (ADMIN or MEMBER) to modify the start_date and target_date of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches issues by ID without filtering by workspace or project, enabling cross-boundary data modification. This vulnerability is fixed in 1.3.0.
Published: 2026-04-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of issue dates across workspaces
Action: Patch Upgrade
AI Analysis

Impact

This vulnerability allows a project member with either ADMIN or MEMBER role to change the start_date and target_date fields of any issue in the Plane instance. The endpoint processes issue identifiers without verifying project or workspace membership, thereby bypassing normal access controls. Attackers can rewrite issue timelines, potentially disrupting project schedules and reporting.

Affected Systems

Plane by makeplane (makeplane:plane). All releases prior to version 1.3.0 are affected. The bulk‑update endpoint accepts any issue ID and permits date changes regardless of the workspace or project to which the issue belongs.

Risk and Exploitability

CVSS score 6.5 indicates moderate severity. Although EPSS is not available and the vulnerability is not listed in the KEV catalog, the absence of filtering on the bulk‑update endpoint makes exploitation straightforward for any authenticated user with project membership. Exploitation requires only existing project roles, so the risk to organizations that often grant broad project access is significant. Immediate upgrading mitigates the risk.

Generated by OpenCVE AI on April 7, 2026 at 22:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Plane to version 1.3.0 or later, where the bulk‑update endpoint enforces workspace membership.
  • If an upgrade is not immediately possible, restrict the bulk‑update endpoint to administrators only or disable it if unused.
  • Review and tighten project roles to limit MEMBER and ADMIN permissions to trusted users.
  • Monitor logs for unexpected bulk updates to issue dates and investigate anomalies.

Generated by OpenCVE AI on April 7, 2026 at 22:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Makeplane
Makeplane plane
Vendors & Products Makeplane
Makeplane plane

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member (ADMIN or MEMBER) to modify the start_date and target_date of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches issues by ID without filtering by workspace or project, enabling cross-boundary data modification. This vulnerability is fixed in 1.3.0.
Title Plane IDOR: Cross-Project Issue Date Modification via Bulk Update Endpoint
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Makeplane Plane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T14:35:28.762Z

Reserved: 2026-04-06T21:29:17.350Z

Link: CVE-2026-39374

cve-icon Vulnrichment

Updated: 2026-04-08T14:35:25.300Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T20:16:32.293

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-39374

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:46:11Z

Weaknesses