CVE-2026-40102 Overview
CVE-2026-40102 is an ORM Field Reference Injection vulnerability in Plane, an open-source project management tool. The flaw exists in the SavedAnalyticEndpoint of versions 1.3.0 and below. The endpoint forwards the user-controlled segment query parameter directly into a Django F() expression without validation. Unlike the related AnalyticsEndpoint, which enforces an allowlist, this endpoint allows authenticated workspace members to traverse arbitrary foreign-key relationships and exfiltrate sensitive field values via the JSON response. The Plane maintainers fixed the issue in version 1.3.1.
Critical Impact
An authenticated workspace member can read sensitive database fields including bcrypt password hashes, API tokens, and related users' email addresses through crafted segment parameter values.
Affected Products
- Plane (open-source project management tool)
- Versions 1.3.0 and below
- Fixed in version 1.3.1
Discovery Timeline
- 2026-05-20 - CVE-2026-40102 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-40102
Vulnerability Analysis
The vulnerability resides in the SavedAnalyticEndpoint view, accessible via GET /api/workspaces/<slug>/saved-analytic-view/<analytic_id>/. The endpoint reads the segment query parameter and passes it directly into Django's F() expression inside build_graph_plot(). Django's F() expression supports double-underscore notation to traverse foreign-key relationships across related models.
Because no allowlist is applied, an attacker can supply a value such as workspace__owner__password as the segment. The ORM resolves this reference, projects the field through .values("dimension", "segment"), and returns the raw field content in the JSON response. This produces a direct read primitive against any column reachable through the queryset's relational graph.
The related order_by injection variant only leaks data through ordering side channels. This segment injection is a stronger primitive because the targeted field values are returned verbatim. The weakness is classified under [CWE-943] Improper Neutralization of Special Elements in Data Query Logic.
Root Cause
The root cause is missing input validation on the segment parameter in SavedAnalyticEndpoint. The sibling AnalyticsEndpoint validates segment against a fixed allowlist of permitted dimension fields. The saved variant omits this check, trusting client-supplied input as a valid ORM field path.
Attack Vector
Exploitation requires authenticated access at the workspace MEMBER role or higher. The attacker issues a GET request to the saved analytic view endpoint with a crafted segment value containing double-underscore traversal syntax. The server returns the referenced field values directly in the response body, exposing data such as workspace__owner__password (bcrypt hash), API tokens stored on related models, and email addresses of other users in the workspace.
The vulnerability mechanism is described in the GitHub Security Advisory GHSA-93x3-ghh7-72j3. No public exploit code is required beyond standard HTTP tooling.
Detection Methods for CVE-2026-40102
Indicators of Compromise
- HTTP GET requests to /api/workspaces/<slug>/saved-analytic-view/<analytic_id>/ containing a segment query parameter with double-underscore traversal patterns such as workspace__owner__password, __email, or __token.
- Responses from the saved analytic view endpoint that return values resembling bcrypt hashes (prefixed with $2b$ or $2a$) in the segment field.
- Repeated requests from a single authenticated session enumerating multiple segment field paths.
Detection Strategies
- Inspect web server and application logs for segment parameter values containing __ traversal sequences against the saved-analytic-view route.
- Alert on responses from Plane API endpoints whose JSON bodies contain strings matching password hash or API token formats.
- Compare request patterns between AnalyticsEndpoint and SavedAnalyticEndpoint to identify clients targeting only the unvalidated variant.
Monitoring Recommendations
- Enable verbose request logging on the Plane API gateway and forward logs to a centralized analytics platform for query-based hunting.
- Track per-user request volume to saved analytic view endpoints and flag accounts that issue abnormally high numbers of requests with varying segment values.
- Monitor for anomalous data egress from the Plane application backend, particularly to authenticated workspace MEMBER accounts.
How to Mitigate CVE-2026-40102
Immediate Actions Required
- Upgrade Plane to version 1.3.1 or later, which fixes the field reference injection in SavedAnalyticEndpoint.
- Rotate any credentials, API tokens, and session secrets that may have been exposed through the affected endpoint.
- Force a password reset for all workspace users if exploitation cannot be ruled out from log review.
- Audit workspace membership and remove any unrecognized MEMBER-level accounts.
Patch Information
The Plane maintainers released the fix in version 1.3.1. The patch applies allowlist validation to the segment parameter in SavedAnalyticEndpoint, aligning its behavior with the existing AnalyticsEndpoint. Release notes are published at GitHub Release v1.3.1, and the advisory is available at GHSA-93x3-ghh7-72j3.
Workarounds
- Restrict access to the saved-analytic-view route at the reverse proxy or WAF layer until the upgrade is applied.
- Block requests where the segment query parameter contains the __ substring or does not match the known set of analytic dimensions.
- Limit workspace MEMBER role assignments to trusted accounts until patching is complete.
# Example NGINX rule to block segment traversal patterns until patched
location ~ ^/api/workspaces/[^/]+/saved-analytic-view/ {
if ($arg_segment ~* "__") {
return 403;
}
proxy_pass http://plane_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
