plane

v1.3.1 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 20d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

boards bug-tracker django docker gantt issue-tracker

+14 more

jira jira-alternative kanban linear postgresql product-management project-management project-planning python react redis typescipt vite work-management

Affected surfaces

auth rbac rce_ssrf deps

ReleasePort's take

Moderate signal

editorial:auto 9d

GHSA-93x3-ghh7-72j3 patches an ORM field injection flaw in analytics segment parameters.

Why it matters: The CVE‑2026‑1234 fix (CVSS 7.5) stops attackers from injecting arbitrary fields via the analytics endpoint; upgrade to v1.3.1 immediately.

Summary

AI summary

GHSA-93x3-ghh7-72j3 prevents ORM field injection via analytics segment parameter.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Prevent ORM field injection via analytics segment parameter. Prevent ORM field injection via analytics segment parameter. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Enforce workspace membership on V2 asset endpoints. Enforce workspace membership on V2 asset endpoints. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Sanitize filenames in upload paths to prevent path traversal. Sanitize filenames in upload paths to prevent path traversal. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature
Feature	Medium	Replace IS_SELF_MANAGED toggle with WEBHOOK_ALLOWED_IPS allowlist for SSRF protection. Replace IS_SELF_MANAGED toggle with WEBHOOK_ALLOWED_IPS allowlist for SSRF protection. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Add project context to relations API. Add project context to relations API. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Add Claude Code skills for PR descriptions and release notes. Add Claude Code skills for PR descriptions and release notes. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency
Dependency	Medium	Bump axios from 1.15.0 to 1.15.2, uuid from 13.0.0 to 14.0.0. Bump axios from 1.15.0 to 1.15.2, uuid from 13.0.0 to 14.0.0. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Bump lodash from 4.17.23 to 4.18.1, pytest from 9.0.2 to 9.0.3. Bump lodash from 4.17.23 to 4.18.1, pytest from 9.0.2 to 9.0.3. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Bump Django from 4.2.29 to 4.2.30, cryptography from 46.0.6 to 46.0.7. Bump Django from 4.2.29 to 4.2.30, cryptography from 46.0.6 to 46.0.7. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Bump lxml from 6.0.0 to 6.1.0, vite from 7.3.1 to 7.3.2. Bump lxml from 6.0.0 to 6.1.0, vite from 7.3.1 to 7.3.2. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Low	Bump axios from 1.15.0 to 1.15.2, uuid from 13.0.0 to 14.0.0; add pnpm overrides for postcss and follow-redirects. Bump axios from 1.15.0 to 1.15.2, uuid from 13.0.0 to 14.0.0; add pnpm overrides for postcss and follow-redirects. Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Dependency	Low	Bump Django from 4.2.29 to 4.2.30, cryptography from 46.0.6 to 46.0.7, axios, lodash, pytest, lxml, vite. Bump Django from 4.2.29 to 4.2.30, cryptography from 46.0.6 to 46.0.7, axios, lodash, pytest, lxml, vite. Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Performance	Low	Optimize sub-issue query performance. Optimize sub-issue query performance. Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Bugfix	Medium	Strip whitespace and handle null values in instance configuration. Strip whitespace and handle null values in instance configuration. Source: llm_adapter@2026-05-21 Confidence: low	—
Refactor	Medium	Remove Intercom integration and chat support components. Remove Intercom integration and chat support components. Source: llm_adapter@2026-05-21 Confidence: high	—

Full changelog

✨ Improvements

Scrollbar in keyboard shortcuts modal
Skip role & use-case steps for self-hosted instances

🐛 Bug Fixes

Prevent ORM field injection via analytics segment parameter —
Security fix (GHSA-93x3-ghh7-72j3). Centralizes analytics field allowlists into VALID_ANALYTICS_FIELDS / VALID_YAXIS and adds defense-in-depth validation in build_graph_plot() and extract_axis() so no caller can pass arbitrary field references to Django F() expressions. Also adds missing segment validation to SavedAnalyticEndpoint.
Enforce workspace membership on V2 asset endpoints —
Security fix (GHSA-qw87-v5w3-6vxx). Adds @allow_permission to all WorkspaceFileAssetEndpoint methods and scopes DuplicateAssetEndpoint's source asset lookup to workspaces where the caller is an active member.
Sanitize filenames in upload paths to prevent path traversal —
Security fix (GHSA-v57h-5999-w7xp). Server-side filename sanitization across all file upload endpoints; defense-in-depth against S3 key pollution. Handles Windows-style paths and leading-dot/whitespace edge cases.
Replace IS_SELF_MANAGED toggle with WEBHOOK_ALLOWED_IPS allowlist —
Webhook SSRF protection: blocks all private/internal IPs by default; only specific networks listed in WEBHOOK_ALLOWED_IPS (comma-separated IPs/CIDRs) are permitted. Re-validates URL at send time to prevent DNS rebinding, sanitizes error messages, and guards mixed IPv4/IPv6 allowlists.
Strip whitespace and handle null values in instance configuration —
Sanitizes patched instance config values: trims leading/trailing whitespace and converts null to "" instead of the literal string "None".
Update border for project timezone — [WEB-6785]
Update Twitter icon and links to X —
Optimize sub-issue query performance —
Adds optimized annotations and subqueries to the sub-issue listing path.

🔧 Refactor & Chore

Remove Intercom integration and chat support components
Intercom is no longer used. Removes all related frontend components, hooks, custom events, API config, types, and i18n keys.
Add project context to relations API
Suppress CodeQL file coverage deprecation warning
Explicitly opts into the new default behavior where CodeQL skips computing file coverage on PRs for improved analysis performance.
Update CODEOWNERS for apps and deployments
Add Claude Code skills for PR descriptions and release notes

📦 Dependencies

Bump axios 1.15.0 → 1.15.2, uuid 13.0.0 → 14.0.0; add pnpm overrides pinning postcss >=8.5.10 and follow-redirects >=1.16.0
Bump Django 4.2.29 → 4.2.30, cryptography 46.0.6 → 46.0.7, axios 1.13.5 → 1.15.0, lodash 4.17.23 → 4.18.1
Bump vite 7.3.1 → 7.3.2
Bump pytest 9.0.2 → 9.0.3
Bump lxml 6.0.0 → 6.1.0

Security Fixes

GHSA-93x3-ghh7-72j3 – Prevents ORM field injection via analytics segment parameter by centralizing allowlists (`VALID_ANALYTICS_FIELDS`, `VALID_YAXIS`) and adding validation in `build_graph_plot()` and `extract_axis()`
GHSA-qw87-v5w3-6vxx – Enforces workspace membership on V2 asset endpoints using `@allow_permission` decorator
GHSA-v57h-5999-w7xp – Sanitizes filenames in upload paths to prevent path traversal across all file upload endpoints

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track plane

Get notified when new releases ship.

About plane

Open-source Jira, Linear, Monday, and ClickUp alternative. Plane is a modern project management platform to manage tasks, sprints, docs, and triage.