From a28a51feaaece080d205e23077fc43395cbcd3bd Mon Sep 17 00:00:00 2001 From: sriramveeraghanta Date: Tue, 31 Mar 2026 17:24:23 +0530 Subject: [PATCH] fix: scope IssueBulkUpdateDateEndpoint query to workspace and project The bulk update date endpoint fetched issues by ID without filtering by workspace or project, allowing any authenticated project member to modify start_date and target_date of issues in any workspace/project across the entire instance (IDOR - CWE-639). Scoped the query to include workspace__slug and project_id filters, consistent with other issue endpoints in the codebase. Ref: GHSA-4q54-h4x9-m329 Co-Authored-By: Claude Opus 4.6 (1M context) --- apps/api/plane/app/views/issue/base.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/api/plane/app/views/issue/base.py b/apps/api/plane/app/views/issue/base.py index 98a59b6481c..bb331802c84 100644 --- a/apps/api/plane/app/views/issue/base.py +++ b/apps/api/plane/app/views/issue/base.py @@ -1118,7 +1118,7 @@ def post(self, request, slug, project_id): epoch = int(timezone.now().timestamp()) # Fetch all relevant issues in a single query - issues = list(Issue.objects.filter(id__in=issue_ids)) + issues = list(Issue.objects.filter(id__in=issue_ids, workspace__slug=slug, project_id=project_id)) issues_dict = {str(issue.id): issue for issue in issues} issues_to_update = []