What is CVE-2025-69284?

CVE-2025-69284 is a publicly disclosed cybersecurity vulnerability with a MEDIUM severity rating and CVSS score of 4.3.

How to search for CVE vulnerabilities?

You can search the 4nuxd CVE database using CVE IDs, vendor names, product names, or severity levels.

CVE-2025-69284

MEDIUM4.3/ 10.0

Published: January 2, 2026 at 04:17 PM

Modified: January 2, 2026 at 04:45 PM

Source: security-advisories@github.com

Vulnerability Description

Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/members/` is accessible by guest and able to list of users on a specific workspace that they joined. Since the `display_name` in the response is actually the handler of the email, a malicious guest can still identify admin users' email addresses. Version 1.2.0 fixes this issue.

CVSS Metrics

Base Score

4.3

Severity

MEDIUM

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Weaknesses (CWE)

CWE-284

Source: security-advisories@github.com

AI Security Analysis

01 // Technical Summary

Plane.io, a project management tool, suffers from an information disclosure vulnerability allowing unauthenticated users to enumerate workspace members and potentially identify administrator email addresses. This flaw, present in versions prior to 1.2.0, exposes sensitive user data, enabling attackers to conduct targeted attacks like phishing or credential stuffing against identified administrators.

02 // Vulnerability Mechanism

Step 1: Access the API Endpoint: A guest user accesses the vulnerable API endpoint: /api/workspaces/:slug/members/. The :slug parameter represents the workspace identifier. Step 2: Request Processing: The server processes the request without proper authorization checks. Step 3: Data Retrieval: The server retrieves the list of workspace members from the database. Step 4: Information Disclosure: The server returns a JSON response containing the member list, including their display_name field, which is the email address. Step 5: Email Harvesting: The guest user parses the response and extracts the email addresses of all workspace members, including administrators.

03 // Deep Technical Analysis

The vulnerability stems from a lack of proper access control on the /api/workspaces/:slug/members/ endpoint in Plane.io versions before 1.2.0. The API endpoint, intended for authorized users to view workspace members, was accessible to guest users. The response from this endpoint included the display_name field, which was, in reality, the user's email address. This design flaw allowed unauthorized users to enumerate all members of a workspace, including administrators, by simply knowing the workspace slug. The root cause is a missing authorization check on the API endpoint, failing to verify the user's role or permissions before returning sensitive user information. The fix implemented in version 1.2.0 likely involved adding an authentication and authorization check to the API endpoint, ensuring that only authenticated users with appropriate permissions can access the member list.