CVE-2026-27705

Plane is an open-source project management tool. Prior to v1.2.2, the ProjectAssetEndpoint.patch() method uses a global asset lookup (FileAsset.objects.get(id=pk)) without validating workspace/project ownership, allowing any authenticated user (including GUEST) to modify attributes and is_uploade...

EUVD-2026-8681

Plane is an an open-source project management tool. Prior to version 1.2.2, the ProjectAssetEndpoint.patch method in apps/api/plane/app/views/asset/v2.py lines 579–593 performs a global asset lookup using only the asset ID pk via FileAsset.objects.getid=pk, without verifying that the asset belong...