Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F() expression without validation (unlike the regular AnalyticsEndpoint, which checks against an allowlist), causing ORM Field Reference Injection. An authenticated workspace MEMBER can send GET /api/workspaces/<slug>/saved-analytic-view/<analytic_id>/ with a crafted segment value that is forwarded into build_graph_plot() and traverses foreign-key relationships (e.g. workspace__owner__password) before being projected via .values("dimension", "segment"), returning the referenced field values directly in the JSON response. This exposes sensitive data such as bcrypt password hashes, API tokens, and related users' email addresses, making it a stronger primitive than the related order_by injection where values are only leaked through ordering. This issue has been fixed in version 1.3.1.
AnalysisAI
ORM Field Reference Injection in Plane versions 1.3.0 and below enables any authenticated workspace MEMBER to exfiltrate sensitive data - including bcrypt password hashes, API tokens, and user email addresses - via a single crafted GET request. The SavedAnalyticEndpoint omits the field allowlist validation present in the regular AnalyticsEndpoint, passing the user-supplied segment parameter directly into Django F() expressions, which then traverse foreign-key relationships and return referenced field values in the JSON response. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack is trivially reconstructable from the public GHSA-93x3-ghh7-72j3 advisory and the exfiltrated data directly enables secondary attacks.
Technical ContextAI
Plane is a Python/Django open-source project management platform. Django's F() expression allows ORM queries to reference model fields and traverse relational paths using double-underscore notation (e.g., workspace__owner__password), which the query engine resolves at SQL level against joined tables. The SavedAnalyticEndpoint passes the user-supplied segment query parameter directly into build_graph_plot(), which ultimately calls .values('dimension', 'segment') - projecting the referenced field's raw database value into the HTTP response. The regular AnalyticsEndpoint mitigated this by checking segment against an allowlist, but that guard was absent from SavedAnalyticEndpoint. CWE-943 (Improper Neutralization of Special Elements in Data Query Logic - ORM Injection) describes this root cause precisely: untrusted input influences the structural field selection of an ORM query rather than just its filter parameters, bypassing access-control boundaries at the data layer. The NVD tag 'Nosql Injection' is a misclassification; this is Django relational ORM injection, not a NoSQL database issue.
RemediationAI
Upgrade Plane to version 1.3.1 immediately (https://github.com/makeplane/plane/releases/tag/v1.3.1). The patch centralizes field validation into VALID_ANALYTICS_FIELDS and VALID_YAXIS allowlists and adds defense-in-depth validation in both build_graph_plot() and extract_axis(), ensuring no code path can pass arbitrary field references to Django F() expressions; the missing segment allowlist check in SavedAnalyticEndpoint is explicitly addressed. If an immediate upgrade is not feasible, restrict access to the /api/workspaces/<slug>/saved-analytic-view/ endpoint family at the reverse-proxy or WAF layer - note that this only reduces exposure from external attackers and does not protect against a compromised MEMBER-level account accessing the API from within the network. There is no known configuration toggle to disable saved analytics independently of the broader analytics feature. The trade-off of blocking the endpoint is loss of saved analytics functionality for all workspace members until the patch is applied.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31199