CVE-2026-30244
Plane is Vulnerable to Unauthenticated Workspace Member Information Disclosure
描述
## Executive Summary A security vulnerability exists in the Plane project management platform that allows unauthenticated attackers to enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints. This vulnerability enables attackers to: - Enumerate all members of any workspace without authentication - Extract user email addresses and personally identifiable information (PII) - Identify administrative accounts for targeted attacks - Map organizational structure and user roles - Conduct reconnaissance for social engineering attacks **Affected Endpoints:** ``` GET /api/public/workspaces/{workspace_slug}/members/ GET /api/public/workspaces/{workspace_slug}/projects/{project_id}/members/ ``` A fix is available at https://github.com/makeplane/plane/releases/tag/v1.2.3.
如何修補 CVE-2026-30244
目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。
- —未列出修補版本
CVE-2026-30244 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |