Description
Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F() expression without validation (unlike the regular AnalyticsEndpoint, which checks against an allowlist), causing ORM Field Reference Injection. An authenticated workspace MEMBER can send GET /api/workspaces/<slug>/saved-analytic-view/<analytic_id>/ with a crafted segment value that is forwarded into build_graph_plot() and traverses foreign-key relationships (e.g. workspace__owner__password) before being projected via .values("dimension", "segment"), returning the referenced field values directly in the JSON response. This exposes sensitive data such as bcrypt password hashes, API tokens, and related users' email addresses, making it a stronger primitive than the related order_by injection where values are only leaked through ordering. This issue has been fixed in version 1.3.1.
Published: 2026-05-20
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated workspace MEMBER to supply a crafted segment query parameter to the SavedAnalyticEndpoint which is directly fed into a Django F() expression. This enables ORM Field Reference Injection that can traverse foreign‑key relationships, exposing sensitive fields such as password hashes, API tokens, and email addresses to the user. The leak occurs through the JSON response and is more potent than prior order_by injection weaknesses, as it reveals actual field values.

Affected Systems

This issue affects makeplane:plane version 1.3.0 and all earlier releases of the Plane open‑source project management tool, where the SavedAnalyticEndpoint lacked validation against an allowlist. Version 1.3.1 and later contain the fix.

Risk and Exploitability

The CVSS base score of 6.5 classifies the weakness as moderate, while the EPSS score is not available and the vulnerability is not listed in CISA KEV. The likely attack vector requires authentication as a workspace MEMBER and involves a crafted GET request to the /api/workspaces/<slug>/saved-analytic-view/<analytic_id>/ endpoint. Because the attacker can read critical data, the risk to confidentiality is high for affected workspaces that host sensitive user information.

Generated by OpenCVE AI on May 20, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch and upgrade to version 1.3.1 or later
  • Temporarily disable the Saved Analytics endpoint for workspaces where non‑admin members are present until the upgrade
  • Review and tighten account permissions to ensure only authorized roles can use the SavedAnalytics endpoint, or remove the endpoint entirely if not required

Generated by OpenCVE AI on May 20, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Makeplane
Makeplane plane
Vendors & Products Makeplane
Makeplane plane

Wed, 20 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F() expression without validation (unlike the regular AnalyticsEndpoint, which checks against an allowlist), causing ORM Field Reference Injection. An authenticated workspace MEMBER can send GET /api/workspaces/<slug>/saved-analytic-view/<analytic_id>/ with a crafted segment value that is forwarded into build_graph_plot() and traverses foreign-key relationships (e.g. workspace__owner__password) before being projected via .values("dimension", "segment"), returning the referenced field values directly in the JSON response. This exposes sensitive data such as bcrypt password hashes, API tokens, and related users' email addresses, making it a stronger primitive than the related order_by injection where values are only leaked through ordering. This issue has been fixed in version 1.3.1.
Title Plane: ORM Field Reference Injection via `segment` Parameter in Saved Analytics
Weaknesses CWE-943
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Makeplane Plane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T21:36:54.318Z

Reserved: 2026-04-09T01:41:38.536Z

Link: CVE-2026-40102

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-20T22:16:37.130

Modified: 2026-05-20T22:16:37.130

Link: CVE-2026-40102

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T00:00:15Z

Weaknesses