CVE-2025-69284 — MEDIUM (4.3)

Vulnerability Description

Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/members/` is accessible by guest and able to list of users on a specific workspace that they joined. Since the `display_name` in the response is actually the handler of the email, a malicious guest can still identify admin users' email addresses. Version 1.2.0 fixes this issue.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Plane	Plane	1.1.0

Related Weaknesses (CWE)

CWE-284

References

https://github.com/makeplane/plane/security/advisories/GHSA-7qx6-6739-c7qrVendor Advisory

FAQ

What is CVE-2025-69284?

CVE-2025-69284 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem o...

How severe is CVE-2025-69284?

CVE-2025-69284 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-69284?

Check the references section above for vendor advisories and patch information. Affected products include: Plane Plane.