CVE-2026-27705

Name of the Vulnerable Software and Affected Versions Plane versions prior to 1.2.2

Description Plane is an open-source project management tool. The ProjectAssetEndpoint.patch() method in apps/api/plane/app/views/asset/v2.py (lines 579–593) performs a global asset lookup using only the asset ID (pk) via FileAsset.objects.get(id=pk), without verifying that the asset belongs to the workspace and project specified in the URL path. This allows any authenticated user, including those with the GUEST role, to modify the attributes and is uploaded status of assets belonging to any workspace or project within the Plane instance by guessing or enumerating asset UUIDs. The affected API endpoint is /api/v1/assets/{id} where id is the asset ID (pk).

Recommendations Versions prior to 1.2.2 should be updated to version 1.2.2 or later.