An authorization bypass vulnerability in the Plane project management tool allows authenticated users to illicitly access and modify assets across unauthorized workspaces.

This is an authorization bypass vulnerability occurring within the asset management functionality. It allows any authenticated user to interact with assets in workspaces they do not own or have permission to access, essentially negating workspace isolation.

With a CVSS score of 8.3, this high-severity vulnerability poses a significant risk to organizational data integrity and confidentiality. Successful exploitation could lead to unauthorized data exfiltration, the deletion of critical project documentation, or the overwriting of sensitive assets, potentially resulting in severe operational disruption and loss of intellectual property.

Immediate Action: Upgrade your Plane installation to version 1.3.1 or later immediately to apply the necessary authorization checks.

Proactive Monitoring: Review application access logs for unusual patterns of asset interaction, particularly requests targeting workspace IDs associated with other teams or projects.

Compensating Controls: Ensure strict role-based access control (RBAC) policies are enforced at the network level and consider placing the instance behind a WAF to detect anomalous API requests.

Public Exploit Available: false

The ability for an authenticated user to bypass workspace boundaries constitutes a critical failure in logical access control. Organizations utilizing Plane must prioritize upgrading to version 1.3.1 to ensure workspace integrity and prevent unauthorized cross-workspace data manipulation.