CVE-2026-40102
Received Received - Intake
ORM Field Reference Injection in Plane Project Management Tool

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: GitHub, Inc.

Description
Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F() expression without validation (unlike the regular AnalyticsEndpoint, which checks against an allowlist), causing ORM Field Reference Injection. An authenticated workspace MEMBER can send GET /api/workspaces/<slug>/saved-analytic-view/<analytic_id>/ with a crafted segment value that is forwarded into build_graph_plot() and traverses foreign-key relationships (e.g. workspace__owner__password) before being projected via .values("dimension", "segment"), returning the referenced field values directly in the JSON response. This exposes sensitive data such as bcrypt password hashes, API tokens, and related users' email addresses, making it a stronger primitive than the related order_by injection where values are only leaked through ordering. This issue has been fixed in version 1.3.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-05-21
AI Q&A
2026-05-21
EPSS Evaluated
N/A
NVD
CVE-2026-40102
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Plane open-source project management tool, specifically in versions 1.3.0 and below. It involves the SavedAnalyticEndpoint passing a user-controlled 'segment' query parameter directly into a Django F() expression without validation. Unlike the regular AnalyticsEndpoint, which uses an allowlist, this lack of validation allows an authenticated workspace member to craft a request that exploits ORM Field Reference Injection.

By sending a specially crafted GET request to the saved-analytic-view endpoint with a malicious segment value, the attacker can traverse foreign-key relationships in the database (for example, accessing workspace owner password hashes) and retrieve sensitive data such as bcrypt password hashes, API tokens, and other users' email addresses. This data is returned directly in the JSON response. The issue was fixed in version 1.3.1.


How can this vulnerability impact me? :

This vulnerability can lead to the exposure of sensitive information including bcrypt password hashes, API tokens, and email addresses of related users. An authenticated workspace member exploiting this flaw can access confidential data that should normally be protected, potentially leading to unauthorized access, credential compromise, and further attacks on the system or its users.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Plane to version 1.3.1 or later, where the issue has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart