CVE-2026-30244 is an improper access control vulnerability (CWE-284) affecting Plane, an open-source project management tool developed by makeplane. Versions prior to 1.2.2 incorrectly configure Django REST Framework permission classes, allowing unauthenticated users to access API endpoints intended to be restricted. This misconfiguration enables attackers to enumerate workspace members and extract sensitive data including email addresses, user roles, and internal identifiers, constituting an information disclosure vulnerability (CWE-200). The vulnerability is remotely exploitable over the network without any authentication or user interaction, increasing its risk. The flaw does not impact data integrity or system availability but compromises confidentiality of user information. The vulnerability was publicly disclosed on March 6, 2026, with a CVSS v3.1 base score of 7.5 (high severity), reflecting its ease of exploitation and significant confidentiality impact. No known exploits are currently reported in the wild. The issue is resolved in Plane version 1.2.2 by correcting the permission class configurations to enforce proper access control on sensitive endpoints.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive user information such as email addresses, user roles, and internal identifiers. For organizations, this can lead to privacy violations, increased risk of targeted phishing or social engineering attacks, and potential exposure of internal organizational structure. While the vulnerability does not allow modification or deletion of data, the leaked information can be leveraged by attackers for further attacks or reconnaissance. Organizations relying on Plane for project management may face reputational damage and compliance issues if user data is exposed. Since exploitation requires no authentication and can be performed remotely, the attack surface is broad, potentially affecting any deployment of vulnerable versions accessible over the internet or internal networks.

Organizations should immediately upgrade all Plane installations to version 1.2.2 or later, where the vulnerability is patched. Until upgrades can be performed, administrators should restrict network access to Plane instances, limiting exposure to trusted internal networks or VPNs. Implementing Web Application Firewalls (WAFs) with rules to detect and block enumeration attempts targeting user listing endpoints can provide temporary protection. Review and audit API permission configurations to ensure no other endpoints are inadvertently exposed to anonymous users. Additionally, monitor logs for unusual access patterns indicative of enumeration attempts. Educate users about potential phishing risks arising from leaked email addresses and encourage vigilance. Finally, maintain an incident response plan to address any data exposure incidents promptly.