{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27705", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-23T17:56:51.202Z", "datePublished": "2026-02-25T15:51:46.700Z", "dateUpdated": "2026-02-25T20:10:06.766Z"}, "containers": {"cna": {"title": "Plane Vulnerable to Cross-Workspace/Cross-Project Asset Modification via IDOR in ProjectAssetEndpoint.patch", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/makeplane/plane/security/advisories/GHSA-rfj3-8c85-g46j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/makeplane/plane/security/advisories/GHSA-rfj3-8c85-g46j"}, {"name": "https://github.com/makeplane/plane/commit/9070acbbe81bc02db5c169789da6862d5fc35d96", "tags": ["x_refsource_MISC"], "url": "https://github.com/makeplane/plane/commit/9070acbbe81bc02db5c169789da6862d5fc35d96"}, {"name": "https://github.com/makeplane/plane/releases/tag/v1.2.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/makeplane/plane/releases/tag/v1.2.2"}], "affected": [{"vendor": "makeplane", "product": "plane", "versions": [{"version": "< 1.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T15:53:56.062Z"}, "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. Prior to version 1.2.2, the `ProjectAssetEndpoint.patch()` method in `apps/api/plane/app/views/asset/v2.py` (lines 579\u2013593) performs a global asset lookup using only the asset ID (`pk`) via `FileAsset.objects.get(id=pk)`, without verifying that the asset belongs to the workspace and project specified in the URL path. This allows any authenticated user (including those with the GUEST role) to modify the `attributes` and `is_uploaded` status of assets belonging to any workspace or project in the entire Plane instance by guessing or enumerating asset UUIDs. Version 1.2.2 fixes the issue."}], "source": {"advisory": "GHSA-rfj3-8c85-g46j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T20:09:41.924367Z", "id": "CVE-2026-27705", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T20:10:06.766Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:plane:plane:*:*:*:*:*:*:*:*", "matchCriteriaId": "5CFB7634-F7C4-45BE-BCA9-FB73B6287FAC", "versionEndExcluding": "1.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. Prior to version 1.2.2, the `ProjectAssetEndpoint.patch()` method in `apps/api/plane/app/views/asset/v2.py` (lines 579\u2013593) performs a global asset lookup using only the asset ID (`pk`) via `FileAsset.objects.get(id=pk)`, without verifying that the asset belongs to the workspace and project specified in the URL path. This allows any authenticated user (including those with the GUEST role) to modify the `attributes` and `is_uploaded` status of assets belonging to any workspace or project in the entire Plane instance by guessing or enumerating asset UUIDs. Version 1.2.2 fixes the issue."}], "id": "CVE-2026-27705", "lastModified": "2026-02-27T17:37:38.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-25T17:25:39.573", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/makeplane/plane/commit/9070acbbe81bc02db5c169789da6862d5fc35d96"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/makeplane/plane/releases/tag/v1.2.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/makeplane/plane/security/advisories/GHSA-rfj3-8c85-g46j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "plane", "source": "cna", "vendor": "makeplane"}, "product": "plane", "vendor": "makeplane"}], "analysis": {"en": {"generated_at": "2026-04-17T15:11:50.409835+00:00", "value": {"mitigation_remediation": ["Upgrade Plane to version 1.2.2 or later, which removes the global lookup and enforces workspace\u2011project checks.", "Revoke or restrict the GUEST role so that only users with sufficient privileges can perform asset modifications.", "Implement or verify that asset patch operations include explicit checks that the asset belongs to the specified workspace and project, thereby enforcing proper authorization."], "summary": {"action": "Apply Update", "impact": "Unauthorized Asset Modification Across Workspaces"}, "threat_synthesis": {"affected_systems": "The affected system is the open-source Plane project management tool developed by Makeplane. All releases before v1.2.2 are impacted, as the asset lookup logic was not gated by workspace or project consistency until that version. Any Plane deployment running 1.0.x, 1.1.x, or 1.2.1 is vulnerable.", "description_and_impact": "The flaw resides in the ProjectAssetEndpoint.patch method, which performs a global lookup of assets by ID without verifying workspace or project membership. This allows any authenticated user, even those with a minimal GUEST role, to modify the attributes and is_uploaded status of any asset in the Plane instance by guessing or enumeration of UUIDs. The primary impact is unauthorized modification of assets across workspaces and projects, potentially undermining data integrity.", "risk_and_exploitability": "The CVSS score is 4.9, classifying the risk as moderate. The EPSS value is below 1%, indicating low predicted exploitation frequency. The vulnerability is officially not listed in the CISA KEV catalog, but because the exploit requires only an authenticated session and can be performed without advanced reconnaissance, the threat remains tangible. Attackers can exercise the flaw by sending a PATCH request to the asset endpoint with a guessed or enumerated asset ID, resulting in uncontrolled data modification."}}}}, "created": "2026-02-26T13:15:47.843595+00:00", "updated": "2026-04-17T15:15:21.856949+00:00", "vendors": ["makeplane", "makeplane$PRODUCT$plane"]}