{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30242", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T17:23:59.799Z", "datePublished": "2026-03-06T21:19:24.386Z", "dateUpdated": "2026-03-09T20:54:28.052Z"}, "containers": {"cna": {"title": "Plane: SSRF via Incomplete IP Validation in Webhook URL Serializer", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/makeplane/plane/security/advisories/GHSA-fpx8-73gf-7x73", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/makeplane/plane/security/advisories/GHSA-fpx8-73gf-7x73"}, {"name": "https://github.com/makeplane/plane/releases/tag/v1.2.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/makeplane/plane/releases/tag/v1.2.3"}], "affected": [{"vendor": "makeplane", "product": "plane", "versions": [{"version": "< 1.2.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T21:19:24.386Z"}, "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.). When webhook events fire, the server makes requests to these internal addresses and stores the response \u2014 enabling SSRF with full response read-back. This issue has been patched in version 1.2.3."}], "source": {"advisory": "GHSA-fpx8-73gf-7x73", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30242", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:43:39.175731Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:54:28.052Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30242", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:43:39.175731Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:47:22.160Z"}}], "cna": {"title": "Plane: SSRF via Incomplete IP Validation in Webhook URL Serializer", "source": {"advisory": "GHSA-fpx8-73gf-7x73", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "makeplane", "product": "plane", "versions": [{"status": "affected", "version": "< 1.2.3"}]}], "references": [{"url": "https://github.com/makeplane/plane/security/advisories/GHSA-fpx8-73gf-7x73", "name": "https://github.com/makeplane/plane/security/advisories/GHSA-fpx8-73gf-7x73", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/makeplane/plane/releases/tag/v1.2.3", "name": "https://github.com/makeplane/plane/releases/tag/v1.2.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.). When webhook events fire, the server makes requests to these internal addresses and stores the response \u2014 enabling SSRF with full response read-back. This issue has been patched in version 1.2.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T21:19:24.386Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30242", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:54:28.052Z", "dateReserved": "2026-03-04T17:23:59.799Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T21:19:24.386Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:plane:plane:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CF078AB-797F-419E-AACD-6D74F60E2B60", "versionEndExcluding": "1.2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.). When webhook events fire, the server makes requests to these internal addresses and stores the response \u2014 enabling SSRF with full response read-back. This issue has been patched in version 1.2.3."}, {"lang": "es", "value": "Plane es una herramienta de gesti\u00f3n de proyectos de c\u00f3digo abierto. Antes de la versi\u00f3n 1.2.3, la validaci\u00f3n de URL de webhook en plane/app/serializers/webhook.py solo verifica ip.is_loopback, permitiendo a atacantes con rol de ADMINISTRADOR de espacio de trabajo crear webhooks que apunten a direcciones de red privadas/internas (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.). Cuando se activan los eventos de webhook, el servidor realiza solicitudes a estas direcciones internas y almacena la respuesta \u2014 lo que permite SSRF con lectura completa de la respuesta. Este problema ha sido parcheado en la versi\u00f3n 1.2.3."}], "id": "CVE-2026-30242", "lastModified": "2026-03-10T16:17:24.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-06T22:16:01.740", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/makeplane/plane/releases/tag/v1.2.3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/makeplane/plane/security/advisories/GHSA-fpx8-73gf-7x73"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "plane", "source": "cna", "vendor": "makeplane"}, "product": "plane", "vendor": "makeplane"}], "analysis": {"en": {"generated_at": "2026-04-18T09:48:29.761809+00:00", "value": {"mitigation_remediation": ["Apply the Plane 1.2.3 update or later to fix the validation error", "Revoke or limit workspace\u2011admin roles to only trusted individuals who need webhook creation capabilities", "Configure network controls or firewall rules to block outbound traffic from the Plane server to private or internal IP ranges, reducing the potential impact of remaining SSRF attempts"], "summary": {"action": "Immediate Patch", "impact": "Remote Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "Plane versions earlier than 1.2.3, including all releases 1.2.2 and below, are vulnerable. The issue is present in the open\u2011source Project Management tool developed by makeplane under the makeplane:plane vendor.", "description_and_impact": "The flaw lies in Plane\u2019s webhook URL validation, which only checks for loopback addresses and ignores private IP ranges. An attacker with workspace\u2011admin privileges can create a webhook that points to an internal address such as 10.x.x.x or 192.168.x.x. When the webhook is triggered, the Plane server performs an HTTP request to that address and stores the response, giving the attacker full read access to any internal resource reachable from the Plane host. This is a high\u2011severity SSRF flaw, classified as CWE\u2011918, and allows confidential data exposure. Based on the description, it is inferred that further lateral movement inside the internal network could be possible.", "risk_and_exploitability": "The CVSS score is 8.5, indicating a high impact. The EPSS score is reported as less than 1%, suggesting a low likelihood of exploitation at present, and the vulnerability has not been listed in CISA\u2019s KEV catalog. However, any workspace with an admin user who can create webhooks can exploit the vulnerability to read internal network data whenever the webhook is triggered. The attack vector is straightforward: authenticated admin user, set invalid URL, and trigger a webhook event to harvest responses."}}}}, "created": "2026-03-09T10:06:47.035516+00:00", "updated": "2026-04-18T10:00:10.313597+00:00", "vendors": ["makeplane", "makeplane$PRODUCT$plane"]}