CVE-2025-69284
MEDIUMPlane < 1.2.0 - Unauthenticated Improper Access Control via Workspace Members API
Title source: llmDescription
Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/members/` is accessible by guest and able to list of users on a specific workspace that they joined. Since the `display_name` in the response is actually the handler of the email, a malicious guest can still identify admin users' email addresses. Version 1.2.0 fixes this issue.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/makeplane/plane/security/advisories/GHSA-7qx6-6739-c7qr
Scores
CVSS v3
4.3
EPSS
0.0016
EPSS Percentile
5.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-284
Status
published
Products (1)
plane/plane
1.1.0
Published
Jan 02, 2026
Tracked Since
Feb 18, 2026