{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30244", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T17:23:59.799Z", "datePublished": "2026-03-06T21:19:12.962Z", "dateUpdated": "2026-03-09T20:54:28.297Z"}, "containers": {"cna": {"title": "Plane: Unauthenticated Workspace Member Information Disclosure", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/makeplane/plane/security/advisories/GHSA-87x4-j8vh-p5qf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/makeplane/plane/security/advisories/GHSA-87x4-j8vh-p5qf"}, {"name": "https://github.com/makeplane/plane/releases/tag/v1.2.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/makeplane/plane/releases/tag/v1.2.2"}], "affected": [{"vendor": "makeplane", "product": "plane", "versions": [{"version": "< 1.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T21:19:12.962Z"}, "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints. This issue has been patched in version 1.2.2."}], "source": {"advisory": "GHSA-87x4-j8vh-p5qf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30244", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:43:56.065115Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:54:28.297Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30244", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:43:56.065115Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:47:24.233Z"}}], "cna": {"title": "Plane: Unauthenticated Workspace Member Information Disclosure", "source": {"advisory": "GHSA-87x4-j8vh-p5qf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "makeplane", "product": "plane", "versions": [{"status": "affected", "version": "< 1.2.2"}]}], "references": [{"url": "https://github.com/makeplane/plane/security/advisories/GHSA-87x4-j8vh-p5qf", "name": "https://github.com/makeplane/plane/security/advisories/GHSA-87x4-j8vh-p5qf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/makeplane/plane/releases/tag/v1.2.2", "name": "https://github.com/makeplane/plane/releases/tag/v1.2.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints. This issue has been patched in version 1.2.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T21:19:12.962Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30244", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:54:28.297Z", "dateReserved": "2026-03-04T17:23:59.799Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T21:19:12.962Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:plane:plane:*:*:*:*:*:*:*:*", "matchCriteriaId": "5CFB7634-F7C4-45BE-BCA9-FB73B6287FAC", "versionEndExcluding": "1.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints. This issue has been patched in version 1.2.2."}, {"lang": "es", "value": "Plane es una herramienta de gesti\u00f3n de proyectos de c\u00f3digo abierto. Antes de la versi\u00f3n 1.2.2, atacantes no autenticados pueden enumerar a los miembros del espacio de trabajo y extraer informaci\u00f3n sensible, incluyendo direcciones de correo electr\u00f3nico, roles de usuario e identificadores internos. La vulnerabilidad se debe a que las clases de permisos de Django REST Framework estaban configuradas incorrectamente para permitir el acceso an\u00f3nimo a puntos finales protegidos. Este problema ha sido parcheado en la versi\u00f3n 1.2.2."}], "id": "CVE-2026-30244", "lastModified": "2026-03-10T16:23:32.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T22:16:01.900", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/makeplane/plane/releases/tag/v1.2.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/makeplane/plane/security/advisories/GHSA-87x4-j8vh-p5qf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}