Primary

Context

Plane Project Management Tool Cross-Workspace Asset Modification Vulnerability

Vulnerability

Patched

A vulnerability in the Plane project management tool allows authenticated users, including those with the GUEST role, to modify asset metadata and upload statuses across different workspaces and projects. This issue arises from the 'ProjectAssetEndpoint.patch()' method, which performs a global asset lookup without verifying workspace or project ownership. As a result, users can manipulate asset attributes by guessing or enumerating asset UUIDs.

Impact

Exploitation of this vulnerability allows for unauthorized modification of asset metadata and upload statuses across all workspaces and projects in the Plane instance, violating authorization boundaries and potentially corrupting data workflows.

Remediation

Users can upgrade to Plane version 1.2.2 to address this vulnerability.

Added: Feb 25, 2026, 7:44 PM

Updated: Feb 25, 2026, 7:44 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

3.4

remediation

7.7

relevance

3.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

3.4

remediation

7.7

relevance

3.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Plane Project Management Tool Cross-Workspace Asset Modification Vulnerability

Vulnerability

Impact

Remediation

Affected Products

makeplane plane

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating