Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized modification of assets by guessing or enumerating asset UUIDs due to insufficient authorization checks in the patch method. Detection would involve monitoring for unusual or unauthorized PATCH requests to the asset endpoint that modify asset attributes or the is_uploaded status.'}, {'type': 'paragraph', 'content': 'Specifically, you can look for PATCH HTTP requests to URLs matching the asset update endpoint pattern that include asset IDs, and verify if these requests are coming from users with GUEST or low privilege roles.'}, {'type': 'paragraph', 'content': 'Commands to detect such activity might include using web server logs or API gateway logs to filter PATCH requests to the asset endpoint, for example using grep or similar tools:'}, {'type': 'list_item', 'content': "grep 'PATCH /api/plane/app/views/asset/v2/' /var/log/nginx/access.log | grep -i 'application/json'"}, {'type': 'list_item', 'content': 'Analyze logs for PATCH requests modifying asset attributes or is_uploaded fields from unexpected users or IP addresses.'}, {'type': 'paragraph', 'content': 'Additionally, you can audit database changes to the FileAsset table to detect modifications to attributes or is_uploaded fields that do not correspond to authorized users or projects.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade the Plane package to version 1.2.2 or later, where the vulnerability has been fixed by adding proper authorization checks to ensure asset modifications are scoped to the correct workspace and project.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, restrict access to the asset patch endpoint to trusted users only, and monitor for suspicious PATCH requests that attempt to modify assets across workspaces or projects.'}, {'type': 'paragraph', 'content': "Implement additional access controls or API gateway rules to validate that asset modification requests include correct workspace and project identifiers matching the authenticated user's permissions."}, {'type': 'paragraph', 'content': 'Review and audit user roles and permissions, especially for GUEST users, to limit their ability to perform asset modifications until the patch is applied.'}] [2]

Useful 0 Not Useful 0

Executive Summary

CVE-2026-27705 is an Insecure Direct Object Reference (IDOR) vulnerability in the Plane project management tool affecting versions prior to 1.2.2.

The vulnerability exists in the `ProjectAssetEndpoint.patch()` method, which performs a global asset lookup using only the asset ID without verifying that the asset belongs to the workspace and project specified in the URL path.

This lack of authorization check allows any authenticated user, including those with the GUEST role, to modify the attributes and upload status of assets belonging to any workspace or project by guessing or enumerating asset UUIDs.

This leads to cross-workspace and cross-project asset modification, violating multi-tenant isolation.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows unauthorized users to modify asset metadata and upload status across all workspaces and projects within a Plane instance.

• Unauthorized modification of asset metadata stored in the `attributes` JSON field, which can cause broken file downloads, incorrect file-type rendering, and disrupt document workflows.
• Unconditional setting of the `is_uploaded` flag to true, potentially marking incomplete uploads as complete.
• Authorization boundary violation allowing GUEST users in one workspace to affect assets in other workspaces.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0