Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.9
Plane Project Management Tool Asset Access Weakness
CVE-2026-27705
Summary
Prior to version 1.2.2, a user with any level of access could edit assets in any project or workspace by guessing or knowing the asset ID. This could lead to unintended changes or data tampering. Users should update to version 1.2.2 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| plane | plane | <= 1.2.2 | – |
Original title
Plane is an an open-source project management tool. Prior to version 1.2.2, the `ProjectAssetEndpoint.patch()` method in `apps/api/plane/app/views/asset/v2.py` (lines 579–593) performs a global ass...
Original description
Plane is an an open-source project management tool. Prior to version 1.2.2, the `ProjectAssetEndpoint.patch()` method in `apps/api/plane/app/views/asset/v2.py` (lines 579–593) performs a global asset lookup using only the asset ID (`pk`) via `FileAsset.objects.get(id=pk)`, without verifying that the asset belongs to the workspace and project specified in the URL path. This allows any authenticated user (including those with the GUEST role) to modify the `attributes` and `is_uploaded` status of assets belonging to any workspace or project in the entire Plane instance by guessing or enumerating asset UUIDs. Version 1.2.2 fixes the issue.
nvd CVSS3.1
6.5
nvd CVSS4.0
4.9
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026