CVE-2026-27705
Plane Vulnerable to Cross-Workspace/Cross-Project Asset Modification via IDOR in ProjectAssetEndpoint.patch
Plane is an an open-source project management tool. Prior to version 1.2.2, the `ProjectAssetEndpoint.patch()` method in `apps/api/plane/app/views/asset/v2.py` (lines 579โ593) performs a global asset lookup using only the asset ID (`pk`) via `FileAsset.objects.get(id=pk)`, without verifying that the asset belongs to the workspace and project specified in the URL path. This allows any authenticated user (including those with the GUEST role) to modify the `attributes` and `is_uploaded` status of assets belonging to any workspace or project in the entire Plane instance by guessing or enumerating asset UUIDs. Version 1.2.2 fixes the issue.
| CWE | CWE-639 |
| Vendor | makeplane |
| Product | plane |
| Published | Feb 25, 2026 |
| Last Updated | Feb 25, 2026 |
Get instant alerts for makeplane plane
Be the first to know when new unknown vulnerabilities affecting makeplane plane are published โ delivered to Slack, Telegram or Discord.