CVE-2025-69284 is an improper access control vulnerability (CWE-284) found in Plane, an open-source project management tool developed by makeplane. The flaw exists in versions prior to 1.2.0 where guest users, who normally have restricted permissions, can access the API endpoint /api/workspaces/:slug/members/. This endpoint returns a list of users in a specific workspace, including a display_name field. The display_name is derived from the email handler portion of users' email addresses, effectively leaking partial email information of workspace members, including administrative users. This leakage can be exploited by malicious guest users to identify and target privileged users for further attacks such as phishing or social engineering. The vulnerability does not allow modification or deletion of data, nor does it impact system availability. Exploitation requires the attacker to be a guest user in the workspace but does not require any additional user interaction. The issue was resolved in Plane version 1.2.0 by restricting guest access to this API endpoint, thereby preventing unauthorized enumeration of workspace members. No known exploits are currently in the wild, and the CVSS v3.1 base score is 4.3, reflecting a medium severity primarily due to limited confidentiality impact and ease of exploitation within the guest user scope.

For European organizations using Plane versions prior to 1.2.0, this vulnerability poses a risk of partial confidentiality loss. The exposure of email handlers of workspace members, including administrators, can facilitate targeted phishing campaigns or social engineering attacks, which are common initial vectors for more severe intrusions. While the vulnerability does not allow direct modification or disruption of data, the information disclosure can undermine organizational security by enabling attackers to identify high-value targets. This is particularly concerning for organizations handling sensitive projects or intellectual property within Plane. The impact is more pronounced in sectors with high regulatory requirements for data protection, such as finance, healthcare, and government entities in Europe. Additionally, the breach of user privacy could lead to compliance issues under GDPR if email information is considered personal data. However, since exploitation requires guest access to the workspace, the threat is somewhat mitigated by internal access controls and user onboarding policies.

European organizations should immediately upgrade all Plane instances to version 1.2.0 or later to remediate this vulnerability. Until the upgrade is applied, administrators should review and restrict guest user permissions rigorously, ensuring that only trusted users are granted guest access. Implement network segmentation and access controls to limit exposure of the Plane application to only necessary users. Monitor API access logs for unusual guest activity or repeated access attempts to the /api/workspaces/:slug/members/ endpoint. Educate workspace members, especially administrators, about phishing risks and encourage the use of multifactor authentication to mitigate the impact of potential email enumeration. Additionally, consider implementing email address obfuscation or aliasing where possible to reduce the risk of direct email exposure. Regularly audit user roles and permissions within Plane to ensure least privilege principles are enforced.