Vulnerability Details CVE-2026-39374
Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member (ADMIN or MEMBER) to modify the start_date and target_date of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches issues by ID without filtering by workspace or project, enabling cross-boundary data modification. This vulnerability is fixed in 1.3.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 8.3%
CVSS Severity
CVSS v3 Score 6.5
Products affected by CVE-2026-39374
-
cpe:2.3:a:plane:plane:-
-
cpe:2.3:a:plane:plane:0.1
-
cpe:2.3:a:plane:plane:0.2
-
cpe:2.3:a:plane:plane:0.2.1
-
cpe:2.3:a:plane:plane:0.23.0
-
cpe:2.3:a:plane:plane:0.23.1
-
cpe:2.3:a:plane:plane:0.24.0
-
cpe:2.3:a:plane:plane:0.24.1
-
cpe:2.3:a:plane:plane:0.25.0
-
cpe:2.3:a:plane:plane:0.25.1
-
cpe:2.3:a:plane:plane:0.25.2
-
cpe:2.3:a:plane:plane:0.25.3
-
cpe:2.3:a:plane:plane:0.26.0
-
cpe:2.3:a:plane:plane:0.26.1
-
cpe:2.3:a:plane:plane:0.27.0
-
cpe:2.3:a:plane:plane:0.27.1
-
cpe:2.3:a:plane:plane:0.28.0
-
cpe:2.3:a:plane:plane:0.3
-
cpe:2.3:a:plane:plane:0.3.1
-
cpe:2.3:a:plane:plane:0.4
-
cpe:2.3:a:plane:plane:0.5
-
cpe:2.3:a:plane:plane:0.6
-
cpe:2.3:a:plane:plane:0.7
-
cpe:2.3:a:plane:plane:0.7.1
-
cpe:2.3:a:plane:plane:0.8
-
cpe:2.3:a:plane:plane:0.9
-
cpe:2.3:a:plane:plane:1.0.0
-
cpe:2.3:a:plane:plane:1.1.0
-
cpe:2.3:a:plane:plane:1.2.0
-
cpe:2.3:a:plane:plane:1.2.1