anonhaven
Ad

CVE-2026-30244

HIGH CVSS 3.1: 7.5
Updated Mar 06, 2026
Django
Parameter Value
CVSS 7.5 (HIGH)
Fixed In 1.2.2
Type CWE-200 (Information Exposure (Раскрытие информации)), CWE-284 (Improper Access Control (Неправильный контроль доступа))
Vendor Django
Public PoC No

Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints.

This issue has been patched in version 1.2.2.

Attack Parameters

Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Privileges Required
None
Права не нужны
User Interaction
None
Не нужно действие пользователя

Impact Assessment

Confidentiality
High
Полная утечка данных
Integrity
None
Нет модификации данных
Availability
None
Нет нарушения работы

CVSS Vector v3.1

Weakness Type (CWE)

CWE-200 Information Exposure (Раскрытие информации)
CWE-284 Improper Access Control (Неправильный контроль доступа)

References 2

https://github.com/makeplane/plane/releases/tag/v1.2.2
security-advisories@github.com
https://github.com/makeplane/plane/security/advisories/GHSA-87x4-j8vh-p5qf
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-28223

Django

6.1

CVE-2026-28222

Django

6.1

CVE-2026-27982

Django

5.1

CVE-2026-25674

Django

3.7

CVE-2026-25673

Django

7.5