Plataforma
python
Componente
plane
Corregido en
1.2.4
1.2.3
CVE-2026-30242 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Plane, a workspace management tool. This flaw allows authenticated attackers with administrative privileges to craft malicious webhooks that target internal network addresses, potentially leading to sensitive data exposure. The vulnerability impacts versions of Plane up to 0.2.1, and a fix is available in version 1.2.3.
The SSRF vulnerability in Plane allows attackers with workspace administrator roles to create webhooks pointing to private or internal network addresses. When these webhooks trigger, the Plane server makes requests to these internal locations and stores the responses. This enables attackers to exfiltrate sensitive data, such as cloud metadata (IAM credentials, tokens from AWS, GCP, or Azure instances). Furthermore, the vulnerability allows for internal service scanning, enabling attackers to probe the internal network for other vulnerable services. The potential blast radius extends to any internal resources accessible from the Plane server, making this a significant security risk.
CVE-2026-30242 was publicly disclosed on March 5, 2026. The vulnerability's impact, allowing cloud metadata exfiltration, is comparable to other SSRF vulnerabilities that have led to significant data breaches. There is no indication of this CVE being added to the CISA KEV catalog or active exploitation campaigns at the time of writing. Public proof-of-concept code is not yet widely available, but the vulnerability's nature makes it likely that such code will emerge.
Organizations using Plane for workspace management, particularly those relying on cloud-based infrastructure (AWS, GCP, Azure), are at significant risk. Environments with overly permissive administrator roles or lacking network segmentation are especially vulnerable. Shared hosting environments where multiple users share a Plane instance could also be affected.
• linux / server:
journalctl -u plane | grep -i "webhook url validation"• python / application:
Inspect the plane/app/serializers/webhook.py file for the vulnerable URL validation logic. Look for instances where ip.is_loopback is the sole check.
• generic web:
Check Plane's webhook endpoint for unexpected responses when sending requests to internal IP addresses. Use curl to test:
curl -v http://<plane_server>/webhooks/<your_webhook_id> --data 'url=http://10.0.0.1'disclosure
Estado del Exploit
EPSS
0.01% (1% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-30242 is to upgrade Plane to version 1.2.3 or later, which includes the necessary fix for the webhook URL validation. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict network access to the Plane server to only necessary internal resources. Implement a Web Application Firewall (WAF) or proxy to filter outbound requests and block connections to suspicious internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254). Monitor webhook creation and modification events for unusual activity. After upgrading, confirm the fix by attempting to create a webhook pointing to an internal IP address; the request should be rejected.
Actualice la versión de Plane a la 1.2.3 o superior. Esta versión contiene una corrección para la validación incompleta de direcciones IP en las URLs de webhook, previniendo ataques SSRF.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-30242 is a HIGH severity SSRF vulnerability in Plane versions up to 0.2.1, allowing attackers with ADMIN roles to exfiltrate cloud metadata and scan internal networks.
If you are using Plane version 0.2.1 or earlier, you are potentially affected by this SSRF vulnerability. Upgrade to 1.2.3 or later to mitigate the risk.
The recommended fix is to upgrade Plane to version 1.2.3 or later. As a temporary workaround, restrict network access and implement WAF rules.
There is currently no confirmed evidence of active exploitation of CVE-2026-30242, but the vulnerability's nature makes it a potential target.
Refer to the official Plane security advisory for detailed information and updates regarding CVE-2026-30242. (Link to advisory would be here if available)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo requirements.txt y te decimos al instante si estás afectado.