CVE-2026-30242 is a Server-Side Request Forgery (SSRF) vulnerability identified in the open-source project management tool Plane, specifically in versions prior to 1.2.3. The vulnerability stems from inadequate validation of webhook URLs in the file plane/app/serializers/webhook.py, where the validation logic only checks if the IP address is a loopback address (e.g., 127.0.0.1) but fails to block private or link-local IP ranges such as 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and the special metadata IP 169.254.169.254. Attackers possessing workspace ADMIN privileges can exploit this by creating malicious webhooks that point to internal network resources. When webhook events are triggered, the Plane server performs HTTP requests to these internal addresses and stores the full response content. This behavior allows an attacker to perform SSRF attacks with full response read-back capability, potentially exposing sensitive internal services, configuration data, or cloud instance metadata that could lead to further compromise. The vulnerability does not require user interaction beyond webhook creation but does require authenticated ADMIN access, limiting the attack surface to privileged users. The issue was addressed in Plane version 1.2.3 by improving URL validation to block private and link-local IP addresses. The CVSS v3.1 base score is 8.5, reflecting a network attack vector with low complexity, requiring privileges but no user interaction, and causing high confidentiality impact with limited integrity impact and no availability impact. No known exploits in the wild have been reported as of the publication date.

The primary impact of CVE-2026-30242 is the unauthorized disclosure of sensitive internal information due to SSRF attacks. Attackers with ADMIN privileges can leverage this vulnerability to access internal network resources that are normally inaccessible from outside the Plane server, including private IP ranges and cloud metadata services. This can lead to exposure of sensitive configuration data, internal APIs, or credentials stored in metadata endpoints, potentially enabling lateral movement, privilege escalation, or further compromise of the organization's infrastructure. The confidentiality impact is high because attackers can read full HTTP responses from internal systems. Integrity impact is limited because the vulnerability does not allow modifying internal resources directly, and availability impact is negligible. Organizations using Plane in environments with sensitive internal services or cloud infrastructure are at significant risk. The requirement for ADMIN privileges reduces the risk from external unauthenticated attackers but elevates the threat from insider attackers or compromised admin accounts. Failure to patch could result in data breaches, compliance violations, and operational risks.

1. Upgrade Plane to version 1.2.3 or later immediately to apply the official patch that properly validates webhook URLs and blocks private/internal IP addresses. 2. Audit existing webhook configurations to identify and remove any webhooks pointing to internal or private IP addresses. 3. Implement strict role-based access controls (RBAC) to limit ADMIN privileges only to trusted personnel and monitor for suspicious ADMIN activities. 4. Employ network segmentation and firewall rules to restrict the Plane server’s ability to initiate HTTP requests to sensitive internal IP ranges, minimizing the SSRF attack surface. 5. Monitor logs for unusual outbound HTTP requests from the Plane server, especially to internal IP addresses or metadata endpoints. 6. Consider deploying Web Application Firewalls (WAFs) with SSRF detection capabilities to detect and block malicious webhook-triggered requests. 7. Educate administrators about the risks of SSRF and the importance of validating webhook endpoints before creation. 8. If possible, disable webhook functionality temporarily until the patch is applied and configurations are verified.