CVE-2026-30244
HIGH
GHSA-87x4-j8vh-p5qf
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2Description
Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints. This issue has been patched in version 1.2.2.
Analysis
Unauthenticated attackers can enumerate workspace members and harvest sensitive information including email addresses, user roles, and internal identifiers from Plane prior to version 1.2.2 due to misconfigured Django REST Framework permissions. The vulnerability requires no authentication or user interaction and allows remote attackers to directly access protected endpoints over the network. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit which Plane instances are internet-accessible and document all workspace members exposed. Within 7 days: Implement network-level access controls to restrict Plane access to VPN/internal networks only, or deploy WAF rules to block unauthenticated member enumeration endpoints. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today