CVE-2026-11764

When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.

CVSS

No CVSS.

References

Link	Resource
https://pretix.eu/about/en/blog/20260609-release-2026-5-1/

Configurations

No configuration.

History

09 Jun 2026, 13:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-09 13:16

Updated : 2026-06-09 13:57

NVD link : CVE-2026-11764

Mitre link : CVE-2026-11764

CVE.ORG link : CVE-2026-11764

JSON object : View

Products Affected

No product.

CWE

CWE-280

Improper Handling of Insufficient Permissions or Privileges

{"id": "CVE-2026-11764", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 3.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-06-09T13:16:35.533", "references": [{"url": "https://pretix.eu/about/en/blog/20260609-release-2026-5-1/", "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "description": [{"lang": "en", "value": "CWE-280"}]}], "descriptions": [{"lang": "en", "value": "When creating an export of all reusable media, the secrets of connected \ngift cards were included in the export even if the user creating the \nexport does not have permission to view gift cards. This is inconsistent\n with the UI and API where only the first letters of the gift card \nsecret are shown. Therefore, it allows circumventing a permission \nboundary."}], "lastModified": "2026-06-09T13:57:49.980", "sourceIdentifier": "655498c3-6ec5-4f0b-aea6-853b334d05a6"}

CVE-2026-11764

JSON object

Attach tags to CVE-2026-11764

Attach tags to `CVE-2026-11764`