mirror of
https://github.com/makeplane/plane.git
synced 2026-07-09 20:10:06 +02:00
The `create` handler validated the network (SECRET/PUBLIC) check against a workspace-scoped queryset but then used the raw client-supplied `project_ids` list in the subsequent bulk_create and update calls. An attacker could include UUIDs of projects from other workspaces: those are absent from the validation queryset (no network check performed), yet get inserted as ProjectMember rows via bulk_create(ignore_conflicts=True), granting cross-workspace project access. Fix: derive `validated_project_ids` from the filtered queryset (projects already scoped to the requested workspace and passed the SECRET check), and use it exclusively for all subsequent DB writes. Co-authored-by: Plane AI <noreply@plane.so>