CVE-2026-30244

Name of the Vulnerable Software and Affected Versions Plane versions prior to 1.2.2

Description An issue exists in Plane that allows unauthenticated attackers to enumerate workspace members and extract sensitive information, including email addresses, user roles, and internal identifiers. This is due to incorrectly configured Django REST Framework permission classes allowing anonymous access to protected endpoints. Attackers can enumerate all members of any workspace without authentication, extract user email addresses and personally identifiable information, identify administrative accounts, map organizational structure, and conduct reconnaissance for social engineering attacks. The affected API endpoints are: /api/public/workspaces/{workspace slug}/members/ and /api/public/workspaces/{workspace slug}/projects/{project id}/members/. The vulnerable parameter is workspace slug.

Recommendations Update to version 1.2.2 or later.