CVE
CVE-2026-30244
Plane is Vulnerable to Unauthenticated Workspace Member Information Disclosure
Executive Summary
A security vulnerability exists in the Plane project management platform that allows unauthenticated attackers to enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints.
This vulnerability enables attackers to:
- Enumerate all members of any workspace without authentication
- Extract user email addresses and personally identifiable information (PII)
- Identify administrative accounts for targeted attacks
- Map organizational structure and user roles
- Conduct reconnaissance for social engineering attacks
Affected Endpoints:
GET /api/public/workspaces/{workspace_slug}/members/
GET /api/public/workspaces/{workspace_slug}/projects/{project_id}/members/A fix is available at https://github.com/makeplane/plane/releases/tag/v1.2.3.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
C
H
U
-
Related Resources
No items found.
References
https://github.com/makeplane/plane/security/advisories/GHSA-87x4-j8vh-p5qf, https://nvd.nist.gov/vuln/detail/CVE-2026-30244, https://github.com/makeplane/plane, https://github.com/makeplane/plane/releases/tag/v1.2.2
Basic Information
Ecosystem
