CVE-2026-30242
HIGHPlane < 1.2.3 - Authenticated Server-Side Request Forgery via Webhook URL Validation Bypass
Title source: llmDescription
Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.). When webhook events fire, the server makes requests to these internal addresses and stores the response — enabling SSRF with full response read-back. This issue has been patched in version 1.2.3.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/makeplane/plane/security/advisories/GHSA-fpx8-73gf-7x73
Release Notes x_refsource_misc
https://github.com/makeplane/plane/releases/tag/v1.2.3
Scores
CVSS v3
8.5
EPSS
0.0001
EPSS Percentile
3.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
plane/plane
< 1.2.3
pypi/plane
0 - 1.2.3PyPI
Published
Mar 06, 2026
Tracked Since
Mar 07, 2026