The vulnerability CVE-2026-27705 affects Plane, an open-source project management tool, in versions prior to 1.2.2. The issue lies in the ProjectAssetEndpoint.patch() method located in the file apps/api/plane/app/views/asset/v2.py (lines 579–593). This method performs a global lookup of assets using only the asset ID (primary key) via FileAsset.objects.get(id=pk) without verifying that the asset belongs to the workspace and project specified in the URL path. Consequently, any authenticated user, including those assigned the GUEST role, can modify the 'attributes' and 'is_uploaded' status of assets belonging to any workspace or project within the Plane instance by guessing or enumerating asset UUIDs. This represents an authorization bypass vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key). The flaw allows unauthorized modification of project assets, undermining data integrity and potentially disrupting project workflows. The vulnerability does not require elevated privileges beyond authentication and does not need user interaction, making it easier to exploit. The issue was addressed and fixed in Plane version 1.2.2 by adding proper ownership verification during asset lookup to ensure that asset modifications are restricted to the correct workspace and project context.

The primary impact of this vulnerability is unauthorized modification of project assets across all workspaces and projects within a Plane instance. This can lead to data integrity issues, as malicious or unauthorized users can alter asset attributes or upload status, potentially corrupting project data or causing confusion among legitimate users. For organizations relying on Plane for project management, this could disrupt collaboration, delay project timelines, and erode trust in the platform's security controls. Although the vulnerability does not allow asset deletion or access to asset content directly, the ability to modify asset metadata can be leveraged for further attacks or social engineering. Since any authenticated user can exploit this, including those with minimal privileges, insider threats or compromised low-privilege accounts pose a significant risk. The vulnerability does not affect availability directly but can indirectly impact operational efficiency and data reliability.

Organizations should upgrade all Plane instances to version 1.2.2 or later, where the vulnerability is fixed by enforcing proper ownership verification during asset modification requests. Until upgrades are applied, administrators should restrict user authentication to trusted personnel only and monitor asset modification logs for suspicious activity, especially modifications originating from low-privilege accounts. Implement network segmentation and access controls to limit exposure of the Plane application to only necessary users. Additionally, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block unusual asset modification attempts or enumeration of asset UUIDs. Regularly audit user roles and permissions to ensure minimal privilege principles are enforced. Finally, educate users about the risks of credential compromise and enforce strong authentication mechanisms to reduce the risk of unauthorized access.