Plattform
python
Komponente
plane
Behoben in
1.2.4
1.2.3
CVE-2026-30242 describes a Server-Side Request Forgery (SSRF) vulnerability within Plane, a workspace management application. This flaw allows authenticated attackers with administrative privileges to craft webhook URLs pointing to internal network addresses. Consequently, the server makes requests to these internal resources and stores the responses, enabling attackers to read sensitive data.
The primary impact of CVE-2026-30242 is the potential for unauthorized access to internal resources and sensitive data. An attacker can leverage this SSRF vulnerability to exfiltrate cloud metadata, such as AWS, GCP, or Azure instance metadata containing IAM credentials and tokens. This could lead to complete compromise of the cloud environment. Furthermore, the attacker can use the SSRF to scan the internal network, identifying other vulnerable services and expanding their attack surface. The ability to read responses from internal services provides a significant information disclosure risk.
CVE-2026-30242 was publicly disclosed on March 5, 2026. There is no indication of this vulnerability being actively exploited at the time of writing. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation.
Organizations using Plane for workspace management, particularly those relying on cloud-based infrastructure (AWS, GCP, Azure), are at significant risk. Environments with overly permissive administrator roles or lacking network segmentation are especially vulnerable. Shared hosting environments where multiple users share a Plane instance could also be affected.
• linux / server:
journalctl -u plane | grep -i "webhook url validation"• python / application:
Inspect the plane/app/serializers/webhook.py file for the vulnerable URL validation logic. Look for instances where ip.is_loopback is the sole check.
• generic web:
Check Plane's webhook endpoint for unexpected responses when sending requests to internal IP addresses. Use curl to test:
curl -v http://<plane_server>/webhooks/<your_webhook_id> --data 'url=http://10.0.0.1'disclosure
Exploit-Status
EPSS
0.01% (1% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2026-30242 is to immediately upgrade Plane to version 1.2.3 or later, which contains the fix for the webhook URL validation issue. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound requests and block connections to internal IP address ranges (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254). Additionally, restrict the workspace ADMIN role to only trusted users. After upgrading, confirm the fix by attempting to create a webhook pointing to an internal IP address and verifying that the request is blocked.
Aktualisieren Sie die Version von Plane auf 1.2.3 oder höher. Diese Version enthält eine Korrektur für die unvollständige IP-Adressvalidierung in Webhook-URLs und verhindert SSRF-Angriffe.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-30242 is a HIGH severity SSRF vulnerability in Plane versions up to 0.2.1, allowing attackers with ADMIN roles to exfiltrate cloud metadata and scan internal networks.
If you are using Plane version 0.2.1 or earlier, you are potentially affected by this SSRF vulnerability. Upgrade to 1.2.3 or later to mitigate the risk.
The recommended fix is to upgrade Plane to version 1.2.3 or later. As a temporary workaround, restrict network access and implement WAF rules.
There is currently no confirmed evidence of active exploitation of CVE-2026-30242, but the vulnerability's nature makes it a potential target.
Refer to the official Plane security advisory for detailed information and updates regarding CVE-2026-30242. (Link to advisory would be here if available)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.