Vulnerability Description
Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.). When webhook events fire, the server makes requests to these internal addresses and stores the response — enabling SSRF with full response read-back. This issue has been patched in version 1.2.3.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Plane | Plane | < 1.2.3 |
Related Weaknesses (CWE)
References
- https://github.com/makeplane/plane/releases/tag/v1.2.3Release Notes
- https://github.com/makeplane/plane/security/advisories/GHSA-fpx8-73gf-7x73Vendor Advisory
FAQ
What is CVE-2026-30242?
CVE-2026-30242 is a vulnerability with a CVSS score of 8.5 (HIGH). Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace...
How severe is CVE-2026-30242?
CVE-2026-30242 has been rated HIGH with a CVSS base score of 8.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-30242?
Check the references section above for vendor advisories and patch information. Affected products include: Plane Plane.