CVE-2026-30244 is an access control vulnerability classified under CWE-284 and CWE-200 affecting the Plane project management tool developed by makeplane. The vulnerability arises from incorrect configuration of permission classes in the Django REST Framework, which is used by Plane to expose its API endpoints. Specifically, endpoints that provide workspace member information were left accessible to anonymous users, allowing unauthenticated attackers to enumerate all members within a workspace. This enumeration exposes sensitive data including email addresses, user roles, and internal identifiers that could be leveraged for further social engineering, phishing, or targeted attacks. The vulnerability affects all versions of Plane prior to 1.2.2 and is exploitable remotely without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.5, reflecting high severity due to the ease of exploitation and the confidentiality impact. The flaw does not impact data integrity or availability, and no known exploits have been reported in the wild as of the publication date. The issue was addressed by correcting the permission classes to enforce proper access control in version 1.2.2.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive user information, which compromises confidentiality. Exposure of email addresses and user roles can facilitate targeted phishing campaigns, spear-phishing, or social engineering attacks against workspace members. Internal identifiers could also aid attackers in crafting more sophisticated attacks or in mapping organizational structures. While the vulnerability does not directly affect system integrity or availability, the leaked information can be a stepping stone for further attacks that may lead to privilege escalation or data breaches. Organizations relying on Plane for project management risk reputational damage, loss of user trust, and potential compliance violations related to data privacy. The ease of exploitation without authentication or user interaction increases the likelihood of automated scanning and mass enumeration attacks, especially if the affected service is internet-facing.

The definitive mitigation is to upgrade all affected Plane instances to version 1.2.2 or later, where the permission misconfiguration has been corrected. Until upgrade is possible, organizations should restrict external access to the Plane API endpoints through network controls such as firewalls or VPNs to limit exposure to unauthenticated users. Implementing Web Application Firewalls (WAFs) with rules to detect and block enumeration patterns can provide additional protection. Administrators should audit API permissions and review access control configurations to ensure no other endpoints are inadvertently exposed. Monitoring logs for unusual access patterns or enumeration attempts can help detect exploitation attempts early. Finally, educating users about phishing risks and enforcing strong email security controls can mitigate the impact of any information disclosure.