CVE-2025-69284
📋 TL;DR
This vulnerability in Plane.io allows guest users to access an API endpoint that lists workspace members, potentially exposing admin email addresses through display_name fields. It affects all Plane.io instances running versions before 1.2.0 where guest users have access to workspaces. The issue enables information disclosure that could facilitate targeted attacks.
💻 Affected Systems
- Plane.io
⚠️ Risk & Real-World Impact
Worst Case
Attackers identify admin email addresses and conduct sophisticated phishing campaigns or credential stuffing attacks against privileged accounts, potentially leading to account takeover and further system compromise.
Likely Case
Malicious guest users harvest admin email addresses for spam, phishing, or social engineering attempts against organization personnel.
If Mitigated
With proper access controls and monitoring, impact is limited to information disclosure without direct system access or privilege escalation.
🎯 Exploit Status
Exploitation requires guest user access and involves simple API calls to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.0
Vendor Advisory: https://github.com/makeplane/plane/security/advisories/GHSA-7qx6-6739-c7qr
Restart Required: Yes
Instructions:
1. Backup your Plane instance data. 2. Update to version 1.2.0 or later using your deployment method (Docker, Kubernetes, etc.). 3. Restart the Plane service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict guest user permissions
allTemporarily disable or restrict guest user access to workspaces until patching is complete.
API endpoint restriction
allConfigure web application firewall or reverse proxy to block guest access to /api/workspaces/*/members/ endpoints.
🧯 If You Can't Patch
- Disable guest user functionality entirely in Plane configuration
- Implement network segmentation to isolate Plane instance from sensitive systems
🔍 How to Verify
Check if Vulnerable:
Check if guest users can access /api/workspaces/{slug}/members/ endpoint and see user listings with email-related display names.Check Version:
Check Plane version in admin panel or via docker inspect for containerized deployments.Verify Fix Applied:
After updating to 1.2.0+, verify guest users cannot access the /api/workspaces/{slug}/members/ endpoint or that email information is properly redacted.📡 Detection & Monitoring
Log Indicators:
- Multiple GET requests to /api/workspaces/*/members/ from guest user accounts
- Unusual API access patterns from guest accounts
Network Indicators:
- HTTP 200 responses to /api/workspaces/*/members/ endpoints for guest users containing user listing data
SIEM Query:
source="plane" AND (uri_path="/api/workspaces/*/members/" AND user_role="guest")