Cyber Resilience

CVE-2026-30242

High

Published: 06 March 2026

Published
06 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0028 20.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-30242 is a high-severity SSRF (CWE-918) vulnerability in Plane Plane. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-30242 is a Server-Side Request Forgery (SSRF) vulnerability in Plane, an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks if the IP address is loopback using ip.is_loopback. This insufficient validation permits the creation of webhooks targeting private or internal network addresses, including 10.x.x.x, 172.16.x.x, 192.168.x.x, and 169.254.169.254 ranges.

An attacker with a workspace ADMIN role can exploit this vulnerability by creating a malicious webhook with an internal target URL. When webhook events are triggered, the Plane server issues requests to these internal addresses and stores the full responses, allowing the attacker to read sensitive internal network data via SSRF with complete response read-back. The vulnerability has a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N) and is associated with CWE-918: Server-Side Request Forgery.

The vulnerability has been patched in Plane version 1.2.3. Security practitioners should upgrade to this version or later. Additional details are available in the release notes at https://github.com/makeplane/plane/releases/tag/v1.2.3 and the GitHub security advisory at https://github.com/makeplane/plane/security/advisories/GHSA-fpx8-73gf-7x73.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.).…

more

When webhook events fire, the server makes requests to these internal addresses and stores the response — enabling SSRF with full response read-back. This issue has been patched in version 1.2.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in exposed web app (Plane) directly matches T1190 exploitation; explicit targeting of 169.254.169.254 plus full response read-back enables T1552.005 cloud metadata credential access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27706Same product: Plane Plane
CVE-2026-39843Same product: Plane Plane
CVE-2026-30244Same product: Plane Plane
CVE-2026-39374Same product: Plane Plane
CVE-2026-33039Shared CWE-918
CVE-2026-33351Shared CWE-918
CVE-2025-54122Shared CWE-918
CVE-2026-25545Shared CWE-918
CVE-2026-41905Shared CWE-918
CVE-2025-50180Shared CWE-918

Affected Assets

plane
plane
≤ 1.2.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of untrusted inputs such as webhook URLs to reject private/internal IP addresses, directly preventing SSRF exploitation.

prevent

Enforces information flow control policies that prohibit the application server from initiating connections to disallowed internal network destinations.

preventdetect

Monitors and controls communications at internal boundaries to block or detect outbound requests from the application to private IP ranges.

References