CVE-2026-27705
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
Summary
Plane is an an open-source project management tool. Prior to version 1.2.2, the ProjectAssetEndpoint.patch() method in apps/api/plane/app/views/asset/v2.py (lines 579–593) performs a global asset lookup using only the asset ID (pk) via FileAsset.objects.get(id=pk), without verifying that the asset belongs to the workspace and project specified in the URL path. This allows any authenticated user (including those with the GUEST role) to modify the attributes and is_uploaded status of assets belonging to any workspace or project in the entire Plane instance by guessing or enumerating asset UUIDs. Version 1.2.2 fixes the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| makeplane | plane | < 1.2.2 | affected |
Weaknesses
- CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://github.com/makeplane/plane/security/advisories/GHSA-rfj3-8c85-g46j
- https://github.com/makeplane/plane/commit/9070acbbe81bc02db5c169789da6862d5fc35d96
- https://github.com/makeplane/plane/releases/tag/v1.2.2
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.