CVE-2025-69284 Overview
CVE-2025-69284 is an information disclosure vulnerability in Plane, an open-source project management tool. The vulnerability allows guest users to access the /api/workspaces/:slug/members/ API endpoint, enabling them to enumerate workspace members and potentially identify administrator email addresses through the display_name field returned in the API response.
Critical Impact
Guest users can enumerate workspace members and identify admin email addresses, potentially enabling targeted phishing attacks or social engineering campaigns against privileged users.
Affected Products
- Plane versions prior to 1.2.0
- Plane.io cloud instances (app.plane.so)
- Self-hosted Plane deployments running vulnerable versions
Discovery Timeline
- 2026-01-02 - CVE-2025-69284 published to NVD
- 2026-01-02 - Last updated in NVD database
Technical Details for CVE-2025-69284
Vulnerability Analysis
This vulnerability stems from improper access control (CWE-284) in Plane's workspace member enumeration API. While the application properly restricts guest users from accessing the settings page at https://app.plane.so/:slug/settings, the underlying API endpoint /api/workspaces/:slug/members/ remains accessible to users with guest-level privileges.
The core issue is an inconsistency between the frontend access controls and backend API authorization. Guest users, who should have minimal read-only access to workspace resources, can directly query the members API endpoint to retrieve a list of all users within a workspace they've been invited to.
More critically, the API response includes the display_name field, which appears to be derived from the user's email handle (the portion before the @ symbol). This information leakage allows malicious guests to reconstruct or infer the email addresses of administrators and other privileged users within the workspace.
Root Cause
The root cause is a broken access control implementation where API-level authorization checks do not match the intended permission model for guest users. The /api/workspaces/:slug/members/ endpoint fails to validate whether the requesting user has sufficient privileges to view member details, and the response includes sensitive user identifier information that should be filtered or anonymized for lower-privileged users.
Attack Vector
The attack is network-based and requires low privileges (an existing guest account within the target workspace). An attacker who has been invited as a guest to any Plane workspace can exploit this vulnerability through the following approach:
- The attacker obtains guest access to a target workspace through legitimate invitation
- Using browser developer tools or API clients, the attacker directly requests the members endpoint
- The API returns the full list of workspace members including their display_name values
- The attacker correlates display names to email addresses, particularly targeting administrator accounts
- This information can then be used for targeted phishing, credential stuffing, or social engineering attacks
The vulnerability requires no user interaction and can be exploited with a simple authenticated GET request to the vulnerable API endpoint.
Detection Methods for CVE-2025-69284
Indicators of Compromise
- Unusual API requests from guest accounts to /api/workspaces/:slug/members/ endpoints
- Elevated frequency of member enumeration requests from specific user sessions
- Guest accounts making API requests that bypass the normal application UI flow
- Sequential requests to workspace member endpoints across multiple workspaces from the same session
Detection Strategies
- Monitor API access logs for guest users accessing workspace member listing endpoints
- Implement rate limiting and alerting on the /api/workspaces/:slug/members/ endpoint
- Review access patterns for authenticated users querying member information outside of normal application workflows
- Deploy web application firewall (WAF) rules to flag direct API access from guest-authenticated sessions
Monitoring Recommendations
- Enable detailed API access logging with user role and privilege level context
- Configure alerts for guest accounts accessing administrative or member management endpoints
- Implement behavioral analysis to detect reconnaissance patterns typical of pre-attack enumeration
- Regularly audit workspace member permissions and identify over-privileged guest accounts
How to Mitigate CVE-2025-69284
Immediate Actions Required
- Upgrade Plane installations to version 1.2.0 or later immediately
- Audit guest user access within workspaces and review member lists for sensitive accounts
- Consider temporarily restricting guest access to workspaces containing sensitive projects until patching is complete
- Review API access logs for signs of prior exploitation or member enumeration activity
Patch Information
Plane version 1.2.0 addresses this vulnerability by implementing proper access control checks on the workspace members API endpoint. Organizations running self-hosted Plane instances should upgrade immediately. For the official security advisory and detailed patch information, refer to the GitHub Security Advisory GHSA-7qx6-6739-c7qr.
Workarounds
- Restrict guest invitations to workspaces until the patch can be applied
- Implement network-level access controls to limit API endpoint access to trusted sources
- Deploy a reverse proxy or API gateway to add additional authorization checks on sensitive endpoints
- Use unique, non-identifying display names for administrative accounts to limit information exposure
For environments where immediate patching is not possible, consider deploying API gateway rules to block guest-authenticated requests to the /api/workspaces/:slug/members/ endpoint while maintaining normal application functionality for authorized users.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
