CVE-2026-46558 is a high-severity vulnerability in Plane, an open-source project management tool. Prior to version 1.3.1, a cross-workspace asset authorization bypass allows any authenticated user to read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1.
CVE-2026-40102 affects Plane versions 1.3.0 and below and is fixed in 1.3.1. The issue is an ORM Field Reference Injection in SavedAnalyticEndpoint: a user-controlled segment query parameter was passed directly into a Django F() expression without the allowlist validation used by the regular AnalyticsEndpoint. An authenticated workspace MEMBER could craft a request to the saved analytics endpoint and caus [truncated]