Platform
python
Component
plane
Fixed in
1.2.4
1.2.3
CVE-2026-30242 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Plane, a workspace management tool. This flaw allows authenticated attackers with administrative privileges to craft malicious webhooks that target internal network addresses, potentially leading to sensitive data exposure. The vulnerability impacts versions of Plane up to 0.2.1, and a fix is available in version 1.2.3.
The SSRF vulnerability in Plane allows attackers with workspace administrator roles to create webhooks pointing to private or internal network addresses. When these webhooks trigger, the Plane server makes requests to these internal locations and stores the responses. This enables attackers to exfiltrate sensitive data, such as cloud metadata (IAM credentials, tokens from AWS, GCP, or Azure instances). Furthermore, the vulnerability allows for internal service scanning, enabling attackers to probe the internal network for other vulnerable services. The potential blast radius extends to any internal resources accessible from the Plane server, making this a significant security risk.
CVE-2026-30242 was publicly disclosed on March 5, 2026. The vulnerability's impact, allowing cloud metadata exfiltration, is comparable to other SSRF vulnerabilities that have led to significant data breaches. There is no indication of this CVE being added to the CISA KEV catalog or active exploitation campaigns at the time of writing. Public proof-of-concept code is not yet widely available, but the vulnerability's nature makes it likely that such code will emerge.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-30242 is to upgrade Plane to version 1.2.3 or later, which includes the necessary fix for the webhook URL validation. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict network access to the Plane server to only necessary internal resources. Implement a Web Application Firewall (WAF) or proxy to filter outbound requests and block connections to suspicious internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254). Monitor webhook creation and modification events for unusual activity. After upgrading, confirm the fix by attempting to create a webhook pointing to an internal IP address; the request should be rejected.
Update the version of Plane to 1.2.3 or higher. This version contains a fix for the incomplete IP address validation in webhook URLs, preventing SSRF attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30242 is a HIGH severity SSRF vulnerability in Plane versions up to 0.2.1, allowing attackers with ADMIN roles to exfiltrate cloud metadata and scan internal networks.
If you are using Plane version 0.2.1 or earlier, you are potentially affected by this SSRF vulnerability. Upgrade to 1.2.3 or later to mitigate the risk.
The recommended fix is to upgrade Plane to version 1.2.3 or later. As a temporary workaround, restrict network access and implement WAF rules.
There is currently no confirmed evidence of active exploitation of CVE-2026-30242, but the vulnerability's nature makes it a potential target.
Refer to the official Plane security advisory for detailed information and updates regarding CVE-2026-30242. (Link to advisory would be here if available)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.