CVE-2025-69284
Unknown Unknown - Not Provided
Information Disclosure via Unauthorized Workspace Member Listing in Plane.io Prior to

Publication date: 2026-01-02

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/members/` is accessible by guest and able to list of users on a specific workspace that they joined. Since the `display_name` in the response is actually the handler of the email, a malicious guest can still identify admin users' email addresses. Version 1.2.0 fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-02-25
Generated
2026-05-07
AI Q&A
2026-01-02
EPSS Evaluated
2026-05-05
NVD
CVE-2025-69284
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
plane plane 1.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-69284 is a vulnerability in plane.io versions prior to 1.2.0 where a guest user can access the API endpoint `/api/workspaces/:slug/members/` to retrieve a list of all members in a workspace they joined. Although guests cannot access workspace settings, the API response includes a `display_name` field that reveals the email handler (the part before '@') of users, allowing a malicious guest to infer admin and other users' email addresses. This is due to improper access control. [1]


How can this vulnerability impact me? :

This vulnerability can impact you by exposing the email handlers of workspace members, including admins, to guest users without requiring elevated privileges or user interaction. This compromises the confidentiality of user identities, potentially enabling targeted phishing or social engineering attacks. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by attempting to access the API endpoint `/api/workspaces/:slug/members/` as a guest user on your Plane instance. If you receive a list of workspace members including the `display_name` field, your system is vulnerable. A simple command using curl would be: `curl -i -X GET https://app.plane.so/api/workspaces/<slug>/members/` replacing `<slug>` with your workspace identifier. If the response returns member information without proper authorization, the vulnerability exists. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade your Plane installation to version 1.2.0 or later, where this access control issue has been fixed. Until the upgrade, restrict guest user access to the `/api/workspaces/:slug/members/` endpoint to prevent unauthorized disclosure of member information. [1]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability exposes user identity information by allowing guest users to infer email addresses of admins and other workspace members without proper authorization. Such unauthorized disclosure of personal data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and disclosure. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart