Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.5
Plane Webhook Allows Internal Network Access
GHSA-fpx8-73gf-7x73
CVE-2026-30242
Summary
An attacker with admin access to a Plane project can create a webhook that makes internal network requests, potentially exposing sensitive data. This issue has been fixed in version 1.2.3. Upgrade to the latest version to ensure security.
What to do
- Update plane to version 1.2.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | plane | <= 1.2.1 | 1.2.3 |
| plane | plane | <= 1.2.3 | – |
Original title
Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with worksp...
Original description
Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.). When webhook events fire, the server makes requests to these internal addresses and stores the response — enabling SSRF with full response read-back. This issue has been patched in version 1.2.3.
ghsa CVSS3.1
8.5
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026