CVE-2026-30244

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-30244
Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints. This issue has been patched in version 1.2.2.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/makeplane/plane/releases/tag/v1.2.2 Release Notes
https://github.com/makeplane/plane/security/advisories/GHSA-87x4-j8vh-p5qf Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:plane:plane:*:*:*:*:*:*:*:*
History

10 Mar 2026, 16:23

Type Values Removed Values Added
First Time Plane plane
Plane
CPE cpe:2.3:a:plane:plane:*:*:*:*:*:*:*:*
References () https://github.com/makeplane/plane/releases/tag/v1.2.2 - () https://github.com/makeplane/plane/releases/tag/v1.2.2 - Release Notes
References () https://github.com/makeplane/plane/security/advisories/GHSA-87x4-j8vh-p5qf - () https://github.com/makeplane/plane/security/advisories/GHSA-87x4-j8vh-p5qf - Vendor Advisory
Summary
  • (es) Plane es una herramienta de gestión de proyectos de código abierto. Antes de la versión 1.2.2, atacantes no autenticados pueden enumerar a los miembros del espacio de trabajo y extraer información sensible, incluyendo direcciones de correo electrónico, roles de usuario e identificadores internos. La vulnerabilidad se debe a que las clases de permisos de Django REST Framework estaban configuradas incorrectamente para permitir el acceso anónimo a puntos finales protegidos. Este problema ha sido parcheado en la versión 1.2.2.

06 Mar 2026, 22:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-06 22:16

Updated : 2026-03-10 16:23

NVD link : CVE-2026-30244

Mitre link : CVE-2026-30244

CVE.ORG link : CVE-2026-30244

JSON object : View

Products Affected

plane

  • plane
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-284

Improper Access Control