CVE-2026-40102
Analyzed Analyzed - Analysis Complete
ORM Field Reference Injection in Plane Project Management Tool

Publication date: 2026-05-20

Last updated on: 2026-05-21

Assigner: GitHub, Inc.

Description
Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F() expression without validation (unlike the regular AnalyticsEndpoint, which checks against an allowlist), causing ORM Field Reference Injection. An authenticated workspace MEMBER can send GET /api/workspaces/<slug>/saved-analytic-view/<analytic_id>/ with a crafted segment value that is forwarded into build_graph_plot() and traverses foreign-key relationships (e.g. workspace__owner__password) before being projected via .values("dimension", "segment"), returning the referenced field values directly in the JSON response. This exposes sensitive data such as bcrypt password hashes, API tokens, and related users' email addresses, making it a stronger primitive than the related order_by injection where values are only leaked through ordering. This issue has been fixed in version 1.3.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-08
NVD
CVE-2026-40102
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
plane plane to 1.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Plane open-source project management tool, specifically in versions 1.3.0 and below. It involves the SavedAnalyticEndpoint passing a user-controlled 'segment' query parameter directly into a Django F() expression without validation. Unlike the regular AnalyticsEndpoint, which uses an allowlist, this lack of validation allows an authenticated workspace member to craft a request that exploits ORM Field Reference Injection.

By sending a specially crafted GET request to the saved-analytic-view endpoint with a malicious segment value, the attacker can traverse foreign-key relationships in the database (for example, accessing workspace owner password hashes) and retrieve sensitive data such as bcrypt password hashes, API tokens, and other users' email addresses. This data is returned directly in the JSON response. The issue was fixed in version 1.3.1.

Impact Analysis

This vulnerability can lead to the exposure of sensitive information including bcrypt password hashes, API tokens, and email addresses of related users. An authenticated workspace member exploiting this flaw can access confidential data that should normally be protected, potentially leading to unauthorized access, credential compromise, and further attacks on the system or its users.

Mitigation Strategies

To mitigate this vulnerability, upgrade Plane to version 1.3.1 or later, where the issue has been fixed.

Compliance Impact

This vulnerability allows an authenticated workspace member to extract sensitive data such as bcrypt password hashes, API tokens, and related users' email addresses by exploiting an ORM Field Reference Injection flaw. Exposure of such sensitive personal and authentication data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information.

Specifically, GDPR requires organizations to protect personal data against unauthorized access and breaches, while HIPAA mandates safeguarding protected health information. The leakage of password hashes, API tokens, and email addresses through this vulnerability could be considered a data breach under these regulations, potentially resulting in legal and financial consequences.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious API requests to the SavedAnalyticEndpoint that include unusual or crafted values in the `segment` query parameter. Specifically, look for GET requests to the endpoint pattern `/api/workspaces/<slug>/saved-analytic-view/<analytic_id>/` where the `segment` parameter contains foreign-key traversal strings such as `workspace__owner__password` or other nested model field references.

To detect exploitation attempts on your system, you can use network or application logs to search for such crafted requests.

Example commands to detect suspicious requests in logs might include:

  • Using grep on server access logs to find suspicious segment parameters: `grep -E 'segment=.*__' /path/to/access.log`
  • Using curl to test if your system is vulnerable by sending a crafted request (requires authentication as a workspace member):
  • curl -G -u <user>:<password> 'https://<your-plane-instance>/api/workspaces/<slug>/saved-analytic-view/<analytic_id>/' --data-urlencode 'segment=workspace__owner__password'

If the response contains sensitive data such as password hashes or email addresses, the system is vulnerable.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40102. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart