Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Plane (Prior to 1.2.2) Exposes Workspace Members to Unauthenticated Attackers
GHSA-87x4-j8vh-p5qf
CVE-2026-30244
Summary
A security issue in Plane, a project management tool, allowed anyone to see the email addresses and job roles of people working on a project without needing a password. This could be used to gather private information. Update to the latest version (1.2.2 or later) to fix the problem.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | plane | <= 0.2.1 | – |
| plane | plane | <= 1.2.2 | – |
Original title
Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, us...
Original description
Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints. This issue has been patched in version 1.2.2.
ghsa CVSS3.1
7.5
Vulnerability type
CWE-200
Information Exposure
CWE-284
Improper Access Control
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026