Cross-Boundary Data Modification in Plane Project Management Tool
CVE-2026-39374

6.5MEDIUM

Key Information:

Vendor: Makeplane
Status: Plane
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-39374?

In the Plane project management tool, prior to version 1.3.0, a flaw in the IssueBulkUpdateDateEndpoint permits project members (either ADMIN or MEMBER) to alter the start_date and target_date of any issue across the entire Plane instance. This occurs without adequate workspace or project membership restrictions, leading to unauthorized data manipulation across different projects. The vulnerability allows critical cross-boundary modifications, enabling users to impact projects they are not associated with. The issue has been resolved in version 1.3.0.

Affected Version(s)

plane < 1.3.0

References

https://github.com/makeplane/plane/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39374 Data

JSON

Makeplane

What is CVE-2026-39374?

Affected Version(s)

References

CVSS V3.1

Timeline