CVE-2026-30242

Name of the Vulnerable Software and Affected Versions Plane versions prior to 1.2.3

Description The webhook URL validation in plane/app/serializers/webhook.py only checks if the IP address is loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private or internal network addresses such as 10.x.x.x, 172.16.x.x, 192.168.x.x, and 169.254.169.254. When webhook events are triggered, the server sends requests to these internal addresses and stores the response, enabling Server-Side Request Forgery (SSRF) with full response read-back. This can lead to cloud metadata exfiltration, internal service scanning, and data exfiltration via response logs.

Recommendations Versions prior to 1.2.3 should be updated to version 1.2.3 or later.