PT-2026-1101 · Plane · Plane
Published
2026-01-02
·
Updated
2026-01-02
·
CVE-2025-69284
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Plane versions prior to 1.2.0
Description
Plane is an open-source project management tool. A guest user, lacking the necessary permissions, could access the
/api/workspaces/:slug/members/ endpoint and list users within a workspace they have joined. The display name in the response corresponds to the user's email address, potentially allowing a malicious guest to identify the email addresses of administrator users. The API endpoint /api/workspaces/:slug/members/ is vulnerable. The variable display name contains the email handler.Recommendations
Update to version 1.2.0 or later.
Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Plane