CVE-2026-39374

Name of the Vulnerable Software and Affected Versions Plane versions prior to 1.3.0

Description Plane, an open-source project management tool, has an issue where the IssueBulkUpdateDateEndpoint allows a project member with ADMIN or MEMBER privileges to modify the start date and target date of any issue across the entire Plane instance, irrespective of workspace or project membership. The endpoint retrieves issues by ID without proper filtering, leading to cross-boundary data modification.

Recommendations Update to version 1.3.0 or later.