CVE Tools

Home/Vulnerability/CVE-2026-40102

CVE-2026-40102

Plane: ORM Field Reference Injection via `segment` Parameter in Saved Analytics

Published: May 20, 2026Updated: May 20, 2026 Sources: CVE List NVD

6.5CVSS

MEDIUM

Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F() expression without validation (unlike the regular AnalyticsEndpoint, which checks against an allowlist), causing ORM Field Reference Injection. An authenticated workspace MEMBER can send GET /api/workspaces/<slug>/saved-analytic-view/<analytic_id>/ with a crafted segment value that is forwarded into build_graph_plot() and traverses foreign-key relationships (e.g. workspace__owner__password) before being projected via .values("dimension", "segment"), returning the referenced field values directly in the JSON response. This exposes sensitive data such as bcrypt password hashes, API tokens, and related users' email addresses, making it a stronger primitive than the related order_by injection where values are only leaked through ordering. This issue has been fixed in version 1.3.1.

EPSS Score

N/A

CISA KEV

Not in KEV

Exploits

No Known Exploits

Remediation

No Fix Available

CVSS Vector Breakdown

Exploitability

AV:NAttack Vector

Network

AC:LAttack Complexity

Low

PR:LPrivileges Required

Low

UI:NUser Interaction

None

Scope

S:UScope

Unchanged

Impact

C:HConfidentiality

High

I:NIntegrity

None

A:NAvailability

None

Weaknesses

CWE-943

Affected Products

plane

makeplane

Exploitability

No known exploits, KEV entries, or remediation guidance available for this vulnerability yet.

References

https://github.com/makeplane/plane/security/advisories/GHSA-93x3-ghh7-72j3

github.com

https://github.com/makeplane/plane/releases/tag/v1.3.1

github.com

Timeline

Published

May 20, 2026

Last Updated

May 20, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-40102 and every CVE in our database. Create a free account — no credit card required.

Create Free Account

AI-powered analysis

Plain-language impact assessment and exploitation scenario

Attack graph visualization

Interactive attack path and kill chain mapping

Exploit details & PoC links

ExploitDB, Metasploit, GitHub PoCs with direct links

Nuclei scanner templates

Ready-to-use vulnerability scanner templates

Full remediation guide

Patch instructions, workarounds, and compliance impact

Interactive AI chat

Ask questions about this vulnerability in natural language

Related vulnerabilities

Semantically similar CVEs and attack patterns

REST API & MCP access

Integrate vulnerability data into your workflows