Executive Summary

CVE-2026-46558 is a high-severity cross-workspace authorization bypass vulnerability in the Plane project management tool affecting versions up to 1.2.3.

The flaw allows any authenticated user to read, copy, delete, and overwrite assets in other Plane workspaces without proper authorization checks.

This happens because the WorkspaceFileAssetEndpoint does not verify workspace membership before performing asset operations, and the DuplicateAssetEndpoint only authorizes the destination workspace during duplication, failing to check access to the source workspace's assets.

An attacker with a normal user account in one workspace can exploit this to access, duplicate, delete, or overwrite assets in another workspace, including private assets and branding elements.

The vulnerability was patched in Plane version 1.3.1.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized data disclosure, allowing attackers to read private assets from other workspaces.

Attackers can also duplicate assets from other workspaces into their own, delete original assets, and overwrite important files such as workspace logos.

The impact includes loss of confidentiality, integrity, and partial availability of assets across workspaces, potentially causing data loss and visual defacement.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized access to assets across Plane workspaces by authenticated users due to missing authorization checks in asset-related endpoints.

Detection can focus on monitoring API calls to the V2 asset subsystem endpoints, specifically WorkspaceFileAssetEndpoint and DuplicateAssetEndpoint, for suspicious activity such as asset operations (create, read, patch, delete) performed by users on workspaces they do not belong to.

Suggested commands include inspecting web server or application logs for unusual asset operations across workspaces, for example using grep or similar tools to find asset-related API calls:

• grep -i 'workspacefileassetendpoint' /var/log/plane/access.log
• grep -i 'duplicateassetendpoint' /var/log/plane/access.log

Additionally, monitoring for asset duplication or deletion events initiated by users from different workspaces than the asset's origin can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Plane to version 1.3.1 or later, where the vulnerability has been patched.

The patch enforces workspace membership authorization checks on all V2 asset endpoints, ensuring that users cannot perform asset operations on workspaces they do not belong to.

Until the upgrade can be applied, restrict access to the Plane application to trusted users only and monitor asset-related API endpoints for suspicious activity.

Review and enforce proper authorization policies on asset operations, especially for duplication and deletion actions, to prevent unauthorized cross-workspace access.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows any authenticated user to bypass authorization controls and access, copy, delete, or overwrite assets in other Plane workspaces without proper permission. This unauthorized access and manipulation of potentially sensitive data could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.

Specifically, the high confidentiality and integrity impact indicated by the CVSS score suggests that sensitive information could be exposed or altered, which may result in non-compliance with standards mandating data privacy and security.

Mitigation through the patched version 1.3.1 enforces proper workspace authorization checks, which is essential to maintain compliance with these regulations by preventing unauthorized data access and modification.

Useful 0 Not Useful 0