PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40102 makeplane CVE debrief

CVE-2026-40102 affects Plane versions 1.3.0 and below and is fixed in 1.3.1. The issue is an ORM Field Reference Injection in SavedAnalyticEndpoint: a user-controlled segment query parameter was passed directly into a Django F() expression without the allowlist validation used by the regular AnalyticsEndpoint. An authenticated workspace MEMBER could craft a request to the saved analytics endpoint and cause the ORM to traverse related fields and return referenced values in the JSON response. The result is sensitive data exposure, including bcrypt password hashes, API tokens, and related users’ email addresses.

Vendor
makeplane
Product
plane
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-20
Advisory published
2026-05-20
Advisory updated
2026-05-20

Who should care

Administrators and security owners running Plane 1.3.0 or earlier should treat this as a sensitive-data exposure issue, especially if non-admin workspace members can access saved analytics endpoints. Teams that store secrets, credentials, or user PII in related models are at higher risk because the injected field references can surface those values directly in API responses.

Technical summary

According to the CVE description, SavedAnalyticEndpoint forwards the user-controlled segment parameter into build_graph_plot() and into a Django F() expression without validation. Unlike the regular AnalyticsEndpoint, which checks the value against an allowlist, the saved-analytics path does not constrain the segment input. That allows an authenticated workspace MEMBER to supply crafted field references such as chained relations (for example, workspace__owner__password) and have the ORM project the referenced values via .values("dimension", "segment"), returning them in JSON. The NVD metadata maps the weakness to CWE-943 and rates the issue CVSS 3.1 6.5/Medium with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.

Defensive priority

High for exposed Plane deployments on affected versions. Although this is not a code-execution issue, the combination of network reachability, low-privilege authentication, and high confidentiality impact means defenders should prioritize version verification and upgrade planning promptly.

Recommended defensive actions

  • Upgrade Plane to version 1.3.1 or later, which is identified as the fix in the supplied source material.
  • Audit any authenticated workspace-member access to saved analytics endpoints and consider temporarily restricting the feature if upgrade timing is delayed.
  • Review application logs and API telemetry for unusual requests to /api/workspaces/<slug>/saved-analytic-view/<analytic_id>/ with crafted segment values or unexpected related-field patterns.
  • Check whether sensitive fields such as password hashes, API tokens, or user email addresses may be reachable through related models exposed to analytics queries.
  • Validate that any custom patches or forks apply allowlist-based validation to segment inputs before they reach Django ORM field references.

Evidence notes

This debrief is based only on the supplied CVE description and official references. The description explicitly states that SavedAnalyticEndpoint accepts a user-controlled segment parameter, passes it into a Django F() expression without validation, and can return referenced field values directly in the JSON response. The source metadata also identifies CWE-943 and a CVSS 3.1 vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The official references provided are the GitHub release tag for v1.3.1 and the associated GitHub Security Advisory.

Official resources

Publicly disclosed on 2026-05-20, with the CVE record and NVD entry published at 2026-05-20T22:16:37.130Z.