CVE-2026-40102: CWE-943: Improper Neutralization of Special Elements in Data Query Logic in makeplane plane
CVE-2026-40102 is a vulnerability in the open-source project management tool Plane (versions 1. 3. 0 and below) where an authenticated workspace member can exploit improper validation of a user-controlled query parameter. This flaw allows an attacker to inject ORM field references via the segment parameter, causing sensitive data such as bcrypt password hashes, API tokens, and user email addresses to be exposed in JSON responses. The issue arises because the SavedAnalyticEndpoint does not validate the segment parameter before passing it to a Django F() expression, unlike the regular AnalyticsEndpoint. This vulnerability has been fixed in Plane version 1. 3. 1.
AI Analysis
Technical Summary
Plane versions 1.3.0 and earlier contain an ORM Field Reference Injection vulnerability (CWE-943) due to improper neutralization of special elements in data query logic. Specifically, the SavedAnalyticEndpoint accepts a user-controlled segment query parameter without validation and forwards it into a Django F() expression. An authenticated workspace member can craft a segment value that traverses foreign-key relationships (e.g., workspace__owner__password) and causes sensitive fields to be included in the JSON response via .values("dimension", "segment"). This leads to exposure of sensitive data such as bcrypt password hashes, API tokens, and related users' email addresses. The vulnerability is fixed in version 1.3.1.
Potential Impact
An authenticated workspace member can exploit this vulnerability to retrieve sensitive information from the database, including password hashes, API tokens, and email addresses of related users. This data exposure can lead to further compromise if attackers use leaked credentials or tokens. The vulnerability does not affect confidentiality, integrity, or availability beyond data disclosure. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability has been fixed in Plane version 1.3.1. Users should upgrade to version 1.3.1 or later to remediate this issue. Since this is not a cloud service, remediation requires applying the official fix by upgrading the software. Patch status is not explicitly stated in the vendor advisory, but the fix is available in the specified version.
CVE-2026-40102: CWE-943: Improper Neutralization of Special Elements in Data Query Logic in makeplane plane
Description
CVE-2026-40102 is a vulnerability in the open-source project management tool Plane (versions 1. 3. 0 and below) where an authenticated workspace member can exploit improper validation of a user-controlled query parameter. This flaw allows an attacker to inject ORM field references via the segment parameter, causing sensitive data such as bcrypt password hashes, API tokens, and user email addresses to be exposed in JSON responses. The issue arises because the SavedAnalyticEndpoint does not validate the segment parameter before passing it to a Django F() expression, unlike the regular AnalyticsEndpoint. This vulnerability has been fixed in Plane version 1. 3. 1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Plane versions 1.3.0 and earlier contain an ORM Field Reference Injection vulnerability (CWE-943) due to improper neutralization of special elements in data query logic. Specifically, the SavedAnalyticEndpoint accepts a user-controlled segment query parameter without validation and forwards it into a Django F() expression. An authenticated workspace member can craft a segment value that traverses foreign-key relationships (e.g., workspace__owner__password) and causes sensitive fields to be included in the JSON response via .values("dimension", "segment"). This leads to exposure of sensitive data such as bcrypt password hashes, API tokens, and related users' email addresses. The vulnerability is fixed in version 1.3.1.
Potential Impact
An authenticated workspace member can exploit this vulnerability to retrieve sensitive information from the database, including password hashes, API tokens, and email addresses of related users. This data exposure can lead to further compromise if attackers use leaked credentials or tokens. The vulnerability does not affect confidentiality, integrity, or availability beyond data disclosure. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability has been fixed in Plane version 1.3.1. Users should upgrade to version 1.3.1 or later to remediate this issue. Since this is not a cloud service, remediation requires applying the official fix by upgrading the software. Patch status is not explicitly stated in the vendor advisory, but the fix is available in the specified version.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T01:41:38.536Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0e3339ba1db47362b060ac
Added to database: 5/20/2026, 10:18:33 PM
Last enriched: 5/20/2026, 10:33:38 PM
Last updated: 5/20/2026, 11:20:22 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.