From d4e802648dd7f2fc18bfa5fafe76c8ce03a2a2a8 Mon Sep 17 00:00:00 2001
From: Manish Gupta <manish@plane.so>
Date: Fri, 19 Jun 2026 17:08:20 +0530
Subject: [PATCH 1/2] fix(security): scope cascade deletes to workspace in
 BulkDeleteIssuesEndpoint

CycleIssue and ModuleIssue cascade deletes used raw issue_ids from the
request instead of the already workspace+project scoped issues queryset,
allowing cross-workspace deletion of related records.

Fixes GHSA-6cw7-h92q-p9hg and GHSA-2rr4-rp7r-32p4.
GHSA-7q7r-mrr4-2wwx (sub-issue parent reassign) covered in WEB-7727.

Co-authored-by: Plane AI <noreply@plane.so>
---
 apps/api/plane/app/views/issue/base.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/apps/api/plane/app/views/issue/base.py b/apps/api/plane/app/views/issue/base.py
index d9e2ea5a5a8..87acd7fbf03 100644
--- a/apps/api/plane/app/views/issue/base.py
+++ b/apps/api/plane/app/views/issue/base.py
@@ -771,10 +771,11 @@ def delete(self, request, slug, project_id):
         total_issues = len(issues)
 
         # First, delete all related cycle issues
-        CycleIssue.objects.filter(issue_id__in=issue_ids).delete()
+        # Use scoped `issues` queryset (not raw issue_ids) to prevent cross-WS deletion (GHSA-2rr4-rp7r-32p4)
+        CycleIssue.objects.filter(issue__in=issues).delete()
 
         # Then, delete all related module issues
-        ModuleIssue.objects.filter(issue_id__in=issue_ids).delete()
+        ModuleIssue.objects.filter(issue__in=issues).delete()
 
         # Finally, delete the issues themselves
         issues.delete()

From 85ee49a6416e45f5ae6d3e0d47603f7e076c577f Mon Sep 17 00:00:00 2001
From: sriramveeraghanta <veeraghanta.sriram@gmail.com>
Date: Sat, 20 Jun 2026 16:39:42 +0530
Subject: [PATCH 2/2] chore: remove advisory ID reference from code comment

---
 apps/api/plane/app/views/issue/base.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/api/plane/app/views/issue/base.py b/apps/api/plane/app/views/issue/base.py
index 87acd7fbf03..3868498d1d2 100644
--- a/apps/api/plane/app/views/issue/base.py
+++ b/apps/api/plane/app/views/issue/base.py
@@ -771,7 +771,6 @@ def delete(self, request, slug, project_id):
         total_issues = len(issues)
 
         # First, delete all related cycle issues
-        # Use scoped `issues` queryset (not raw issue_ids) to prevent cross-WS deletion (GHSA-2rr4-rp7r-32p4)
         CycleIssue.objects.filter(issue__in=issues).delete()
 
         # Then, delete all related module issues