ORM Field Reference Injection in Plane Project Management Tool
CVE-2026-40102

6.5MEDIUM

Key Information:

Vendor: Makeplane
Status: Plane
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-40102?

In the Plane project management tool, an ORM Field Reference Injection vulnerability was discovered in versions 1.3.0 and earlier. This issue arises from the SavedAnalyticEndpoint, which improperly processes user-controlled segment query parameters in Django F() expressions without adequate validation. Unlike its counterpart, the AnalyticsEndpoint, this vulnerability allows an authenticated workspace member to craft GET requests that can extract sensitive information from the database, including bcrypt password hashes, API tokens, and email addresses. Sensitive data can potentially be exposed via .values("dimension", "segment") in the JSON response, representing a critical security flaw. This vulnerability was addressed in version 1.3.1.

Affected Version(s)

plane < 1.3.1

References

https://github.com/makeplane/plane/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/makeplane/plane/releases/tag/v1.3.1

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40102 Data

JSON

Makeplane

What is CVE-2026-40102?

Affected Version(s)

References

CVSS V3.1

Timeline