CVE-2025-69284 identifies an improper access control vulnerability (CWE-284) in Plane, an open-source project management tool developed by makeplane. The flaw exists in versions prior to 1.2.0, where guest users—who should have limited permissions—can access the API endpoint /api/workspaces/:slug/members/. This endpoint returns a list of users associated with a specific workspace. Although guests cannot access the workspace settings page, they can still enumerate members, including administrators. The vulnerability arises because the display_name field in the API response is derived from the email handler portion of users' email addresses, effectively leaking partial email information of admin users. This leakage enables attackers to identify and target privileged users for further attacks such as phishing or social engineering. The vulnerability does not allow modification or deletion of data, nor does it affect system availability. Exploitation requires only guest-level access, which is typically easy to obtain, and no user interaction is necessary. The issue was addressed in Plane version 1.2.0 by restricting guest access to the members API endpoint, thereby preventing unauthorized enumeration of workspace members. No known exploits are reported in the wild as of the publication date. The CVSS v3.1 base score is 4.3, reflecting a medium severity level due to the limited impact on confidentiality and no impact on integrity or availability.

For European organizations using Plane versions prior to 1.2.0, this vulnerability poses a confidentiality risk by exposing partial email addresses of workspace members, including administrators. This information leakage can facilitate targeted phishing campaigns, social engineering attacks, or credential stuffing attempts against privileged users, potentially leading to further compromise. While the vulnerability does not directly allow unauthorized data modification or service disruption, the indirect risk of privilege escalation or account takeover is significant. Organizations in sectors with high reliance on collaborative project management tools—such as technology firms, financial institutions, and government agencies—may face increased risk due to the sensitive nature of their projects and data. The ease of exploitation (guest access only, no user interaction) increases the likelihood of reconnaissance activities by malicious actors. However, since no known exploits are currently reported, the immediate threat level is moderate but warrants proactive mitigation to prevent future exploitation.

European organizations should immediately upgrade Plane to version 1.2.0 or later to remediate this vulnerability. If upgrading is not immediately feasible, organizations should implement access control measures to restrict guest user permissions, specifically blocking access to the /api/workspaces/:slug/members/ endpoint. Network-level controls such as web application firewalls (WAFs) can be configured to detect and block unauthorized API requests from guest users. Additionally, organizations should audit workspace membership visibility settings and review user roles to minimize exposure of sensitive user information. Employee awareness training should emphasize the risks of phishing and social engineering, especially targeting users identified through such information leaks. Monitoring and logging API access patterns can help detect anomalous enumeration attempts. Finally, organizations should maintain an inventory of Plane deployments and ensure timely application of security patches in the future.