Description
Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1.
Published: 2026-06-10
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cross-workspace asset authorization bypass that allows any authenticated user to view, duplicate, delete, and overwrite assets belonging to other workspaces. This bypass centers on missing or improperly enforced authorization checks, corresponding to CWE‑639 and CWE‑862. The effect is a loss of confidentiality, integrity and availability for assets that should be isolated within their respective workspaces, potentially enabling sabotage, data exposure or accounting manipulation.

Affected Systems

The affected product is the open‑source project management tool Plane from makeplane. All releases prior to version 1.3.1 are impacted, as the defect was patched in that version. End‑users on any earlier version should consider their assets vulnerable until they upgrade.

Risk and Exploitability

The CVSS score of 8.3 indicates a high severity issue. The EPSS score is not provided, so the current exploitation probability is unclear, but the vulnerability is not listed in the CISA KEV catalog. Because the bug requires an authenticated user, the attack vector is likely internal or legitimate user exploitation, and an attacker who has legitimate credentials in a workspace can access assets across workspaces without additional privileges.

Generated by OpenCVE AI on June 10, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Plane version 1.3.1 or later
  • If an upgrade is not immediately possible, temporarily reduce the permissions of all authenticated users so that asset management actions are restricted until the patch is applied
  • After applying the patch, review audit logs for unauthorized asset activity to detect any prior abuse

Generated by OpenCVE AI on June 10, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Makeplane
Makeplane plane
Vendors & Products Makeplane
Makeplane plane

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1.
Title Plane: Cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces
Weaknesses CWE-639
CWE-862
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Makeplane Plane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T18:46:03.776Z

Reserved: 2026-05-14T20:42:31.369Z

Link: CVE-2026-46558

cve-icon Vulnrichment

Updated: 2026-06-10T18:45:21.517Z

cve-icon NVD

Status : Received

Published: 2026-06-10T16:17:09.260

Modified: 2026-06-10T19:16:36.177

Link: CVE-2026-46558

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T17:30:36Z

Weaknesses