Vulnerability DatabaseCVE-2026-27705
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-27705
February 25, 2026
Plane is an an open-source project management tool. Prior to version 1.2.2, the "ProjectAssetEndpoint.patch()" method in "apps/api/plane/app/views/asset/v2.py" (lines 579–593) performs a global asset lookup using only the asset ID ("pk") via "FileAsset.objects.get(id=pk)", without verifying that the asset belongs to the workspace and project specified in the URL path. This allows any authenticated user (including those with the GUEST role) to modify the "attributes" and "is_uploaded" status of assets belonging to any workspace or project in the entire Plane instance by guessing or enumerating asset UUIDs. Version 1.2.2 fixes the issue.
Affected Packages
https://github.com/makeplane/plane.git (GITHUB):
Affected version(s) >=v0.1-dev <v1.2.2
Fix Suggestion:
Update to version v1.2.2
Related Resources (3)
https://github.com/makeplane/plane/releases/tag/v1.2.2
https://github.com/makeplane/plane/commit/9070acbbe81bc02db5c169789da6862d5fc35d96
https://github.com/makeplane/plane/security/advisories/GHSA-rfj3-8c85-g46j
Do you need more information?
Contact Us
CVSS v4
Base Score:
4.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
UNREPORTED
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Authorization Bypass Through User-Controlled Key
CWE-639
EPSS
Base Score:
0.03