From 8c23fdd1d865f9bf3fd7edc7c7f2a60828523216 Mon Sep 17 00:00:00 2001
From: sriram veeraghanta <veeraghanta.sriram@gmail.com>
Date: Fri, 20 Feb 2026 18:33:45 +0530
Subject: [PATCH] fix: Member Information Disclosure via Public Endpoint #8646

---
 apps/api/plane/space/views/project.py | 10 ++++++----
 apps/space/core/types/member.d.ts     |  6 +-----
 packages/types/src/users.ts           |  6 +-----
 3 files changed, 8 insertions(+), 14 deletions(-)

diff --git a/apps/api/plane/space/views/project.py b/apps/api/plane/space/views/project.py
index 6f332781f..0e19085a0 100644
--- a/apps/api/plane/space/views/project.py
+++ b/apps/api/plane/space/views/project.py
@@ -63,6 +63,11 @@ class ProjectMembersEndpoint(BaseAPIView):
 
     def get(self, request, anchor):
         deploy_board = DeployBoard.objects.filter(anchor=anchor).first()
+        if not deploy_board:
+            return Response(
+                {"error": "Invalid anchor"},
+                status=status.HTTP_404_NOT_FOUND,
+            )
 
         members = ProjectMember.objects.filter(
             project=deploy_board.project,
@@ -71,10 +76,7 @@ class ProjectMembersEndpoint(BaseAPIView):
         ).values(
             "id",
             "member",
-            "member__first_name",
-            "member__last_name",
             "member__display_name",
-            "project",
-            "workspace",
+            "member__avatar",
         )
         return Response(members, status=status.HTTP_200_OK)
diff --git a/apps/space/core/types/member.d.ts b/apps/space/core/types/member.d.ts
index 721ccd98f..34c95daf6 100644
--- a/apps/space/core/types/member.d.ts
+++ b/apps/space/core/types/member.d.ts
@@ -1,10 +1,6 @@
 export type TPublicMember = {
   id: string;
   member: string;
-  member__avatar: string;
-  member__first_name: string;
-  member__last_name: string;
   member__display_name: string;
-  project: string;
-  workspace: string;
+  member__avatar: string;
 };
diff --git a/packages/types/src/users.ts b/packages/types/src/users.ts
index 9278996a7..7760a0a8c 100644
--- a/packages/types/src/users.ts
+++ b/packages/types/src/users.ts
@@ -196,12 +196,8 @@ export type TProfileViews = "assigned" | "created" | "subscribed";
 export type TPublicMember = {
   id: string;
   member: string;
-  member__avatar: string;
-  member__first_name: string;
-  member__last_name: string;
   member__display_name: string;
-  project: string;
-  workspace: string;
+  member__avatar: string;
 };
 
 // export interface ICurrentUser {