CVE-2026-39374
Published: 07 April 2026
Summary
CVE-2026-39374 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Plane Plane. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 10.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to issues based on workspace and project membership, directly preventing project members from modifying dates on issues outside their scope.
Validates issue IDs provided to the IssueBulkUpdateDateEndpoint against the authenticated user's workspace and project permissions, mitigating authorization bypass via user-controlled keys.
Restricts project ADMIN and MEMBER roles to the minimum access necessary within their assigned workspaces and projects, reducing the impact of flawed endpoint authorization checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass enables unauthorized modification of stored issue data (dates) across boundaries, directly facilitating Stored Data Manipulation.
NVD Description
Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member (ADMIN or MEMBER) to modify the start_date and target_date of ANY issue across the entire Plane instance, regardless of workspace or project membership.…
more
The endpoint fetches issues by ID without filtering by workspace or project, enabling cross-boundary data modification. This vulnerability is fixed in 1.3.0.
Deeper analysisAI
CVE-2026-39374 affects Plane, an open-source project management tool, in versions prior to 1.3.0. The vulnerability resides in the IssueBulkUpdateDateEndpoint, which permits authenticated project members with ADMIN or MEMBER roles to modify the start_date and target_date fields of any issue across the entire Plane instance. This occurs because the endpoint fetches issues by ID without enforcing filters for workspace or project membership, resulting in unauthorized cross-boundary data modification. The issue is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).
An attacker with low-privilege access as a project ADMIN or MEMBER can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending crafted requests to the endpoint with issue IDs from other workspaces or projects, the attacker can alter date fields on issues they do not own or have permission to access, potentially disrupting project timelines, falsifying progress reports, or enabling further privilege escalation in multi-tenant environments.
The vulnerability was fixed in Plane version 1.3.0, as detailed in the GitHub security advisory at https://github.com/makeplane/plane/security/advisories/GHSA-4q54-h4x9-m329. Security practitioners should upgrade to 1.3.0 or later and review access controls on bulk update endpoints in similar project management tools.
Details
- CWE(s)