What is the CVSS score of CVE-2026-46558?

CVE-2026-46558 has a CVSS 3.1 base score of 8.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Plane are affected by CVE-2026-46558?

Plane prior to v1.3.1 fails to enforce workspace isolation, allowing authenticated users to access and modify files across all workspaces on a shared instance.. A patch is available.

How to fix or mitigate CVE-2026-46558?

24 hours: Determine Plane version and whether multi-workspace deployments are in use; audit recent access logs for suspicious cross-workspace API activity. 7 days: Test and validate Plane v1.3.1 in staging environment. 30 days: Deploy v1.3.1 to all production Plane instances and verify updated version.

Plane CVE-2026-46558

EUVD-2026-36066 HIGH

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-06-10 GitHub_M

Authentication Bypass Plane

8.3

CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY

8.3 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from Vendor (GitHub_M) · only source for this CVE.

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Patch available

Jun 10, 2026 - 17:01 EUVD

Source Code Evidence Fetched

Jun 10, 2026 - 16:21 vuln.today

Analysis Generated

Jun 10, 2026 - 16:21 vuln.today

DescriptionCVE.org

Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1.

AnalysisAI

Cross-workspace authorization bypass in Plane (makeplane) prior to version 1.3.1 allows any authenticated user of one workspace to read, copy, delete, and overwrite file assets belonging to other workspaces on the same instance. The flaw stems from missing membership checks on V2 asset endpoints and is fixed in v1.3.1; no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain account on target Plane instance

Delivery

Enumerate or guess foreign workspace asset IDs

Exploit

Call V2 asset endpoint without membership

Execution

Bypass workspace authorization check

Persist

Read, overwrite, or delete cross-workspace assets

Impact

Exfiltrate confidential files or tamper with victim data

Access

Obtain account on target Plane instance

Delivery

Enumerate or guess foreign workspace asset IDs

Exploit

Call V2 asset endpoint without membership

Execution

Bypass workspace authorization check

Persist

Read, overwrite, or delete cross-workspace assets

Impact

Exfiltrate confidential files or tamper with victim data

Vulnerability AssessmentAI

Exploitation	Exploitation requires an authenticated account on the same Plane instance (any workspace role suffices, matching CVSS PR:L) and network reachability to the Plane API. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L reflects a network-exploitable bug requiring only low privileges (any authenticated workspace user) with no user interaction, yielding high confidentiality and integrity impact and low availability impact - consistent with a tenant-isolation break on a SaaS-style product. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker registers or is invited to any low-privilege workspace on a shared Plane instance, then issues authenticated API calls to the V2 WorkspaceFileAssetEndpoint or DuplicateAssetEndpoint referencing asset identifiers belonging to a victim workspace. Because membership is not enforced, the attacker can download confidential attachments, overwrite or delete them, or duplicate them into their own workspace for exfiltration. …
Remediation	Vendor-released patch: Plane v1.3.1, available at https://github.com/makeplane/plane/releases/tag/v1.3.1, with details in GHSA-qw87-v5w3-6vxx (https://github.com/makeplane/plane/security/advisories/GHSA-qw87-v5w3-6vxx); upgrade is the primary and recommended remediation as it adds @allow_permission to all WorkspaceFileAssetEndpoint methods and scopes DuplicateAssetEndpoint's source-asset lookup to workspaces where the caller is an active member. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Determine Plane version and whether multi-workspace deployments are in use; audit recent access logs for suspicious cross-workspace API activity. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10850 MEDIUM This Month

6.9 Jun 17

Stored cross-site scripting in Plane CE 1.3.1 allows an authenticated low-privileged project member to inject arbitrary

CVE-2026-46558 vulnerability details – vuln.today

Back