HIGH 8.3

CVE-2026-46558: Plane Cross-Workspace Authorization Bypass (v1.3.1 Patch)

Plane, an open-source project management platform, contains a critical authorization flaw that allows any logged-in user to access, modify, and delete files and assets stored in other workspaces they should not have permission to reach. This cross-workspace bypass persists in all versions prior to 1.3.1, making it a significant risk for organizations running multi-tenant Plane deployments where workspace isolation is expected to protect sensitive project data. The vulnerability requires authentication but no special privileges, meaning any team member can exploit it immediately.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Weaknesses (CWE)
CWE-639, CWE-862
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46558 stems from inadequate authorization controls in Plane's asset handling logic. The application fails to properly validate workspace boundaries when processing asset requests, violating both broken access control (CWE-862) and authorization bypass principles (CWE-639). An authenticated user can craft requests to read, copy, delete, or overwrite assets in workspaces outside their assigned scope. The CVSS 3.1 score of 8.3 (HIGH) reflects the combination of network-exploitable attack surface (AV:N), low attack complexity (AC:L), low privilege requirements (PR:L), and high impact to confidentiality and integrity with some availability impact.

Business impact

For organizations using Plane as a multi-team project management system, this vulnerability undermines workspace isolation and data compartmentalization. Teams relying on separate workspaces to segregate confidential projects, client work, or access-restricted information face the risk of unauthorized disclosure, modification, or destruction of critical project assets. The ability to delete or overwrite assets could disrupt project continuity and compromise audit trails. In compliance-sensitive environments (healthcare, finance, legal), cross-workspace data exposure may trigger regulatory reporting obligations.

Affected systems

Plane versions prior to 1.3.1 are vulnerable. This includes all stable releases and deployment configurations running an earlier version. Both self-hosted and cloud-hosted Plane instances are affected if they have not been updated to 1.3.1 or later. The vulnerability applies to any authenticated Plane user, regardless of their assigned role or workspace membership.

Exploitability

Exploitation is straightforward and requires only valid authentication credentials—no zero-day sophistication or social engineering needed. An attacker with legitimate access (employee, contractor, supply-chain partner) can immediately enumerate other workspaces and exfiltrate, modify, or sabotage assets. The absence of KEV status does not reduce practical risk; the low barrier to entry and high impact make this attractive to malicious insiders. External attackers who compromise a single user account gain immediate lateral movement across workspaces.

Remediation

Update Plane to version 1.3.1 or later immediately. This is a mandatory patch that restores proper authorization checks for cross-workspace asset requests. Before updating, inventory all Plane deployments in your environment and verify current version numbers. If you maintain a self-hosted instance, schedule an update during a maintenance window to avoid service disruption. After patching, conduct a review of access logs to identify whether unauthorized asset access has occurred.

Patch guidance

Upgrade Plane to version 1.3.1 or later as soon as practically possible. Follow your vendor's published upgrade documentation to ensure minimal downtime and data integrity. If you are on a version significantly older than 1.3.1, verify the upgrade path and test in a non-production environment first. The patch is cumulative and includes the authorization fix; no additional configuration changes are required. Pin your deployment to version 1.3.1 or set auto-update policies to prevent regression to earlier vulnerable builds.

Detection guidance

Monitor Plane application logs for cross-workspace asset API requests, particularly unusual DELETE, PUT, or COPY operations originating from users accessing workspaces outside their team assignments. Check for patterns such as rapid enumeration of workspace identifiers or repeated failed asset access attempts. Review access control logs to identify which workspaces each user accessed and correlate against your workspace-to-team mapping. If Plane exports or forwards logs to a SIEM, create alerts for unauthorized asset modifications. Post-patch, baseline normal behavior and flag anomalies as potential evidence of prior exploitation.

Why prioritize this

This is a HIGH-severity, easily exploitable vulnerability that directly impacts data confidentiality and integrity across multi-workspace deployments. The combination of low attack complexity, low privilege requirements, and high impact to sensitive project data makes it a top remediation priority. Organizations with strict data segregation requirements or regulatory obligations around workspace isolation should treat this as an emergency patch. Even if exploitation has not yet been detected, the attack surface and incentives for malicious insiders or compromised accounts are substantial.

Risk score, explained

The CVSS 3.1 score of 8.3 reflects a network-reachable vulnerability (AV:N) that requires only valid user credentials (PR:L) with no additional interaction needed (UI:N). The high impact on confidentiality (C:H) and integrity (I:H) reflects the ability to read and modify arbitrary workspace assets. The limited availability impact (A:L) accounts for deletion capabilities that could degrade asset availability but do not fully cripple the system. Notably, the authorization bypass affects the entire system boundary (S:U), not just the attacker's own workspace. This places the vulnerability solidly in the HIGH severity band and warrants rapid deployment of the patch.

Frequently asked questions

Can we detect if our workspace has been compromised by this vulnerability before patching?

Review audit logs for asset access and modifications by users outside the expected workspace membership. Look for unusual DELETE, COPY, or overwrite operations on assets, particularly if performed by junior staff or outsiders. Plane's activity logs should record these actions with user and workspace context. However, if detailed logging is not enabled or logs have been purged, evidence may be incomplete. After patching, conduct a full asset inventory audit to detect unauthorized changes.

Does a single compromised user account expose all workspaces in our Plane instance?

Yes. Any authenticated user, including those with minimal permissions in their assigned workspace, can exploit this vulnerability to access assets in any other workspace. Therefore, compromise of a contractor account, vendor integration account, or junior employee account creates exposure across all workspaces. Treat all authenticated accounts as potential pivot points for this attack until the patch is deployed.

Is version 1.3.1 a major release, or can we apply it without extensive testing?

Verify the release notes and changelog from the Plane project for version 1.3.1 to confirm it is primarily a security patch. If it is a minor or patch release focused on the authorization fix, standard testing (functional verification in a staging environment) is usually sufficient. However, if it includes breaking changes or dependency updates, more thorough regression testing may be warranted. Always review the vendor advisory and upgrade guide before applying to production.

What is the 'copy' action mentioned in the vulnerability, and why is that risky?

The copy action allows a user to duplicate assets from one workspace to another. In the context of this vulnerability, an attacker can copy sensitive project files, designs, or data from restricted workspaces into their own or into workspaces they control, enabling exfiltration without leaving obvious deletion evidence. This is particularly dangerous for intellectual property and confidential project information.

This analysis is provided for informational purposes to support security decision-making. It is based on the published vulnerability data as of the modification date (2026-06-17) and does not constitute legal, compliance, or operational advice. Verify all patch version numbers, upgrade procedures, and compatibility statements against the official Plane vendor advisory and release notes. SEC.co makes no warranty regarding the accuracy or completeness of remediation guidance for your specific deployment. Organizations are responsible for testing patches in their environments and determining appropriate remediation timelines based on their risk tolerance and operational constraints. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).