{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39374", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T21:29:17.350Z", "datePublished": "2026-04-07T19:37:31.834Z", "dateUpdated": "2026-04-08T14:35:28.762Z"}, "containers": {"cna": {"title": "Plane IDOR: Cross-Project Issue Date Modification via Bulk Update Endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/makeplane/plane/security/advisories/GHSA-4q54-h4x9-m329", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/makeplane/plane/security/advisories/GHSA-4q54-h4x9-m329"}], "affected": [{"vendor": "makeplane", "product": "plane", "versions": [{"version": "< 1.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:37:31.834Z"}, "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member (ADMIN or MEMBER) to modify the start_date and target_date of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches issues by ID without filtering by workspace or project, enabling cross-boundary data modification. This vulnerability is fixed in 1.3.0."}], "source": {"advisory": "GHSA-4q54-h4x9-m329", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:34:54.918830Z", "id": "CVE-2026-39374", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:35:28.762Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39374", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:34:54.918830Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:35:25.300Z"}}], "cna": {"title": "Plane IDOR: Cross-Project Issue Date Modification via Bulk Update Endpoint", "source": {"advisory": "GHSA-4q54-h4x9-m329", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "makeplane", "product": "plane", "versions": [{"status": "affected", "version": "< 1.3.0"}]}], "references": [{"url": "https://github.com/makeplane/plane/security/advisories/GHSA-4q54-h4x9-m329", "name": "https://github.com/makeplane/plane/security/advisories/GHSA-4q54-h4x9-m329", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member (ADMIN or MEMBER) to modify the start_date and target_date of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches issues by ID without filtering by workspace or project, enabling cross-boundary data modification. This vulnerability is fixed in 1.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:37:31.834Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39374", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:35:28.762Z", "dateReserved": "2026-04-06T21:29:17.350Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T19:37:31.834Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member (ADMIN or MEMBER) to modify the start_date and target_date of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches issues by ID without filtering by workspace or project, enabling cross-boundary data modification. This vulnerability is fixed in 1.3.0."}], "id": "CVE-2026-39374", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T20:16:32.293", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/makeplane/plane/security/advisories/GHSA-4q54-h4x9-m329"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "plane", "source": "cna", "vendor": "makeplane"}, "product": "plane", "vendor": "makeplane"}], "analysis": {"en": {"generated_at": "2026-04-07T22:18:59.722915+00:00", "value": {"mitigation_remediation": ["Upgrade Plane to version 1.3.0 or later, where the bulk\u2011update endpoint enforces workspace membership.", "If an upgrade is not immediately possible, restrict the bulk\u2011update endpoint to administrators only or disable it if unused.", "Review and tighten project roles to limit MEMBER and ADMIN permissions to trusted users.", "Monitor logs for unexpected bulk updates to issue dates and investigate anomalies."], "summary": {"action": "Patch Upgrade", "impact": "Unauthorized modification of issue dates across workspaces"}, "threat_synthesis": {"affected_systems": "Plane by makeplane (makeplane:plane). All releases prior to version 1.3.0 are affected. The bulk\u2011update endpoint accepts any issue ID and permits date changes regardless of the workspace or project to which the issue belongs.", "description_and_impact": "This vulnerability allows a project member with either ADMIN or MEMBER role to change the start_date and target_date fields of any issue in the Plane instance. The endpoint processes issue identifiers without verifying project or workspace membership, thereby bypassing normal access controls. Attackers can rewrite issue timelines, potentially disrupting project schedules and reporting.", "risk_and_exploitability": "CVSS score 6.5 indicates moderate severity. Although EPSS is not available and the vulnerability is not listed in the KEV catalog, the absence of filtering on the bulk\u2011update endpoint makes exploitation straightforward for any authenticated user with project membership. Exploitation requires only existing project roles, so the risk to organizations that often grant broad project access is significant. Immediate upgrading mitigates the risk."}}}}, "created": "2026-04-08T19:34:38.847810+00:00", "updated": "2026-04-08T19:46:11.660307+00:00", "vendors": ["makeplane", "makeplane$PRODUCT$plane"]}