CVE-2026-40102

Name of the Vulnerable Software and Affected Versions Plane versions prior to 1.3.1

Description An ORM Field Reference Injection exists where the SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F() expression without validation. An authenticated workspace MEMBER can send a GET request to the endpoint '/api/workspaces//saved-analytic-view//' with a crafted segment value. This value is forwarded into the build graph plot() function and can traverse foreign-key relationships, such as workspace owner password, before being projected via .values("dimension", "segment"). This process returns referenced field values directly in the JSON response, exposing sensitive data including bcrypt password hashes, API tokens, and email addresses of related users.

Recommendations Update to version 1.3.1. As a temporary workaround, restrict access to the '/api/workspaces//saved-analytic-view//' endpoint or avoid using the segment parameter until the update is applied.