GHSA-87x4-j8vh-p5qf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-87x4-j8vh-p5qf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-87x4-j8vh-p5qf/GHSA-87x4-j8vh-p5qf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-87x4-j8vh-p5qf
- Aliases
- Published
- 2026-03-05T21:48:11Z
- Modified
- 2026-03-09T13:16:26.431191Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Plane is Vulnerable to Unauthenticated Workspace Member Information Disclosure
- Details
-
Executive Summary
A security vulnerability exists in the Plane project management platform that allows unauthenticated attackers to enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints.
This vulnerability enables attackers to:
- Enumerate all members of any workspace without authentication
- Extract user email addresses and personally identifiable information (PII)
- Identify administrative accounts for targeted attacks
- Map organizational structure and user roles
- Conduct reconnaissance for social engineering attacks
Affected Endpoints:
GET /api/public/workspaces/{workspace_slug}/members/ GET /api/public/workspaces/{workspace_slug}/projects/{project_id}/members/A fix is available at https://github.com/makeplane/plane/releases/tag/v1.2.3.
- Database specific
{ "severity": "HIGH", "github_reviewed": true, "nvd_published_at": "2026-03-06T22:16:01Z", "cwe_ids": [ "CWE-200", "CWE-284" ], "github_reviewed_at": "2026-03-05T21:48:11Z" }- References
Affected packages
PyPI / plane
Package
- Name
- plane
- View open source insights on deps.dev
- Purl
- pkg:pypi/plane
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected