CVE-2026-30242
Published: 06 March 2026
Summary
CVE-2026-30242 is a high-severity SSRF (CWE-918) vulnerability in Plane Plane. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of untrusted inputs such as webhook URLs to reject private/internal IP addresses, directly preventing SSRF exploitation.
Enforces information flow control policies that prohibit the application server from initiating connections to disallowed internal network destinations.
Monitors and controls communications at internal boundaries to block or detect outbound requests from the application to private IP ranges.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in exposed web app (Plane) directly matches T1190 exploitation; explicit targeting of 169.254.169.254 plus full response read-back enables T1552.005 cloud metadata credential access.
NVD Description
Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.).…
more
When webhook events fire, the server makes requests to these internal addresses and stores the response — enabling SSRF with full response read-back. This issue has been patched in version 1.2.3.
Deeper analysisAI
CVE-2026-30242 is a Server-Side Request Forgery (SSRF) vulnerability in Plane, an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks if the IP address is loopback using ip.is_loopback. This insufficient validation permits the creation of webhooks targeting private or internal network addresses, including 10.x.x.x, 172.16.x.x, 192.168.x.x, and 169.254.169.254 ranges.
An attacker with a workspace ADMIN role can exploit this vulnerability by creating a malicious webhook with an internal target URL. When webhook events are triggered, the Plane server issues requests to these internal addresses and stores the full responses, allowing the attacker to read sensitive internal network data via SSRF with complete response read-back. The vulnerability has a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N) and is associated with CWE-918: Server-Side Request Forgery.
The vulnerability has been patched in Plane version 1.2.3. Security practitioners should upgrade to this version or later. Additional details are available in the release notes at https://github.com/makeplane/plane/releases/tag/v1.2.3 and the GitHub security advisory at https://github.com/makeplane/plane/security/advisories/GHSA-fpx8-73gf-7x73.
Details
- CWE(s)