CVE-2026-5600

A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those they should not have access to. These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example: { "id": 123, "successful": true, "error_reason": null, "error_explanation": null, "position": 321, "datetime": "2020-08-23T09:00:00+02:00", "list": 456, "created": "2020-08-23T09:00:00+02:00", "auto_checked_in": false, "gate": null, "device": 1, "device_id": 1, "type": "entry" } An unauthorized user usually has no way to match these IDs (position) back to individual people.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://pretix.eu/about/en/blog/20260408-release-2026-3-1/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pretix:pretix::::::::
	cpe:2.3:a:pretix:pretix::::::::
	cpe:2.3:a:pretix:pretix::::::::

History

24 Apr 2026, 17:46

Type	Values Removed	Values Added
References	~~() https://pretix.eu/about/en/blog/20260408-release-2026-3-1/ -~~	() https://pretix.eu/about/en/blog/20260408-release-2026-3-1/ - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
First Time		Pretix Pretix pretix
CPE		cpe:2.3:a:pretix:pretix::::::::

08 Apr 2026, 13:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-08 13:16

Updated : 2026-04-24 17:46

NVD link : CVE-2026-5600

Mitre link : CVE-2026-5600

CVE.ORG link : CVE-2026-5600

JSON object : View

Products Affected

pretix

pretix

CWE

CWE-653

Improper Isolation or Compartmentalization

{"id": "CVE-2026-5600", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-08T13:16:43.543", "references": [{"url": "https://pretix.eu/about/en/blog/20260408-release-2026-3-1/", "tags": ["Vendor Advisory"], "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "description": [{"lang": "en", "value": "CWE-653"}]}], "descriptions": [{"lang": "en", "value": "A new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\n\n\nThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\n\n\n{\n \"id\": 123,\n \"successful\": true,\n \"error_reason\": null,\n \"error_explanation\": null,\n \"position\": 321,\n \"datetime\": \"2020-08-23T09:00:00+02:00\",\n \"list\": 456,\n \"created\": \"2020-08-23T09:00:00+02:00\",\n \"auto_checked_in\": false,\n \"gate\": null,\n \"device\": 1,\n \"device_id\": 1,\n \"type\": \"entry\"\n}\n\n\n\nAn unauthorized user usually has no way to match these IDs (position) back to individual people."}], "lastModified": "2026-04-24T17:46:14.777", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "467C4FAB-6446-4716-9C03-7AC9B72ECF58", "versionEndExcluding": "2026.1.2", "versionStartIncluding": "2025.10.0"}, {"criteria": "cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7BFC10B5-5C62-4E2B-A387-9AB3F5A06F75", "versionEndExcluding": "2026.2.1", "versionStartIncluding": "2026.2.0"}, {"criteria": "cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8DBC4AF8-B234-4ACB-BB04-06CC103DFF47", "versionEndExcluding": "2026.3.1", "versionStartIncluding": "2026.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "655498c3-6ec5-4f0b-aea6-853b334d05a6"}