CVE-2026-46558 Overview
CVE-2026-46558 is a cross-workspace authorization bypass vulnerability in Plane, an open-source project management tool. Versions prior to 1.3.1 fail to enforce workspace boundaries on asset operations. Any authenticated user can read, copy, delete, and overwrite assets belonging to other Plane workspaces. The flaw is classified as [CWE-639]: Authorization Bypass Through User-Controlled Key. Maintainers patched the issue in version 1.3.1.
Critical Impact
Authenticated attackers can access, modify, or destroy assets across workspace boundaries, breaking the tenant isolation model of multi-tenant Plane deployments.
Affected Products
- Plane (makeplane/plane) versions prior to 1.3.1
- Self-hosted Plane deployments serving multiple workspaces
- Plane Community Edition
Discovery Timeline
- 2026-06-10 - CVE-2026-46558 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-46558
Vulnerability Analysis
Plane organizes user content into isolated workspaces. Each workspace should restrict asset operations (file uploads, attachments, images) to its own members. The asset access controller fails to validate that the requesting user belongs to the workspace owning the targeted asset. The authorization check accepts the asset identifier supplied by the client and processes the operation without verifying workspace membership.
This is a classic Insecure Direct Object Reference (IDOR) pattern documented as [CWE-639]. The vulnerability impacts confidentiality, integrity, and availability of cross-tenant data. Attackers gain read access to potentially sensitive project files. They can also overwrite or delete assets, corrupting other tenants' project state.
Root Cause
The asset authorization layer trusts the asset identifier as the sole basis for access decisions. It does not cross-reference the asset's parent workspace against the authenticated session's workspace memberships. Any valid user session is treated as sufficient authorization to operate on any asset identifier in the system.
Attack Vector
Exploitation requires only a low-privileged authenticated account on the target Plane instance. The attacker enumerates or guesses asset identifiers belonging to other workspaces. They then issue standard asset API requests (GET, PUT, DELETE, COPY) against those identifiers. The server processes the request as if the attacker were a legitimate member of the foreign workspace. No user interaction from the victim workspace is required.
No verified public proof-of-concept code is available. See the GitHub Security Advisory GHSA-qw87-v5w3-6vxx for advisory details.
Detection Methods for CVE-2026-46558
Indicators of Compromise
- Asset API requests where the authenticated user's workspace membership does not match the asset's owning workspace
- Unusual volumes of asset read, copy, or delete operations from a single user account
- Asset modification or deletion events lacking a corresponding action by a legitimate workspace member
- Access log entries showing asset identifiers being accessed sequentially or via enumeration patterns
Detection Strategies
- Review Plane application logs for asset endpoint requests and correlate the requesting user's workspace identifier with the asset's workspace identifier
- Alert on any account performing asset operations across more than one workspace within a short time window
- Inspect storage backend (S3, MinIO, local filesystem) access logs for unexpected cross-tenant object access
- Hunt historical logs for asset DELETE and PUT requests issued by users not enrolled in the asset's workspace
Monitoring Recommendations
- Forward Plane API access logs and authentication events to a centralized logging platform for retention and correlation
- Baseline normal asset operation volumes per user and alert on deviations
- Monitor object storage modification events and reconcile them against Plane application-layer audit records
How to Mitigate CVE-2026-46558
Immediate Actions Required
- Upgrade all Plane instances to version 1.3.1 or later without delay
- Audit asset access logs for the period prior to patching to identify possible cross-workspace access
- Rotate or revoke API tokens for any account suspected of abuse
- Notify workspace administrators if cross-workspace access is observed and provide an inventory of impacted assets
Patch Information
The vulnerability is fixed in Plane version 1.3.1. The patch enforces workspace membership validation in the asset authorization path. Release details are available in the Plane v1.3.1 GitHub release notes and the GitHub Security Advisory GHSA-qw87-v5w3-6vxx.
Workarounds
- No supported workaround exists short of upgrading to 1.3.1
- Restrict instance access to trusted users until the patch is applied, since exploitation requires an authenticated account
- Place the Plane instance behind a reverse proxy enforcing additional authentication controls if upgrade must be delayed
- Take regular backups of asset storage to allow recovery from unauthorized deletion or overwrite
# Upgrade example for Docker-based Plane deployments
docker compose pull
docker compose down
docker compose up -d
# Verify the running version matches 1.3.1 or later
docker compose exec api cat /code/package.json | grep version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
