Skip to main content

pretix CVE-2026-13602

| EUVDEUVD-2026-40995 HIGH
Improper Input Validation (CWE-20)
2026-07-01 rami.io GHSA-q93m-6jvc-jc45
7.7
CVSS 4.0 · Vendor: rami.io
Share

Severity by source

Vendor (rami.io) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.9 CRITICAL

Network-reachable and low-complexity but requires an existing backend event account (PR:L); becoming any user crosses a privilege boundary (S:C) with full C/I/A compromise.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (rami.io).

CVSS VectorVendor: rami.io

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 16:01 EUVD
Analysis Generated
Jul 01, 2026 - 14:53 vuln.today

DescriptionCVE.org

We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:

*

The payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay contain a code path that is intended for the transport of session parameters from a tab with isolated cookies (e.g. in the pretix widget) to a new tab. For this purpose, a set of session parameters is cryptographically signed and then passed to the new tab as a URL parameter. The plugins perform no further validation of the session parameters, other than the cryptographic signature being valid. This is fixed with the releases issued today by strictly validating that no session parameters outside of the scope of the respective plugin may be set.

*

An unrelated feature in the core system is used to generate redirect links that obfuscate any Referer headers for outgoing links to prevent leakage of secrets in URLs. This redirect page also requires cryptographically signed parameters. Unfortunately, it uses the same key and salt for the signature as the previously mentioned feature in the payment integration plugins. A motivated attacker with access to at least one event in the backend can trick the system into cryptographically signing arbitrary content using specially crafted links. In combination with the previous issue, the attacker could use this to set and modify arbitrary parameters on their user session by injecting the signed parameters into the feature of the payment providers. This is fixed with the releases issued today by using different salts for the signature for each plugin and feature.

*

A third, unrelated feature in the core system is used for admin users to act on behalf of another user, mostly for debugging purposes. With being able to insert arbitrary parameters into a session, an attacker can abuse this feature to change their session from their actual user to any user in the system by guessing a valid user ID. This is fixed with the release today by requiring unguessable information to be contained in the session of the user to switch to.

AnalysisAI

Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugins (Stripe, pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, pretix-saferpay) lets an authenticated backend operator become any user and read any data in the system. The flaw chains three weaknesses: a signed-session-parameter transport path with no scope validation, a signing-oracle reuse of the same key/salt in an unrelated Referer-obfuscation redirect, and the admin "act on behalf of" impersonation feature. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to pretix backend with low-privilege event access
Delivery
Craft link abusing Referer-redirect signing oracle
Exploit
Obtain valid signature over arbitrary session parameters
Install
Inject signed blob into payment plugin session transport
C2
Write attacker-chosen parameters into own session
Execute
Abuse admin act-as feature guessing target user ID
Impact
Assume any user identity and access all data

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already hold authenticated access to at least one event in the pretix backend (CVSS PR:L), so this is an insider/multi-tenant escalation, not remote-unauthenticated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N with High confidentiality/integrity/availability on both vulnerable and subsequent systems) scores 7.7 and is internally consistent with the described impact: a network-reachable, low-complexity chain that requires only low privileges (access to at least one event in the backend) and no user interaction, yielding full account takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious event organizer with a legitimate low-privilege backend account on a shared pretix instance crafts links against the Referer-obfuscation redirect feature to have the server cryptographically sign arbitrary session parameters, then injects that signed blob into a payment plugin's session-transport path, which accepts it because only the signature is checked. Having written attacker-controlled parameters into their own session, they invoke the admin "act on behalf of" impersonation feature and guess a target user ID to switch into any account and read all its data. …
Remediation Patch available per vendor advisory: upgrade the pretix core to the release issued 2026-07-01 (release 2026.5.3, https://pretix.eu/about/en/blog/20260701-release-2026-5-3/) and simultaneously update every installed affected payment plugin (pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, pretix-saferpay) to their same-day fixed releases, since core and plugins were patched in a coordinated set and a partial upgrade leaves the chain intact. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Enumerate all pretix installations and payment plugin versions; restrict backend operator access to minimum-required principals; review recent access logs for anomalies. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Pretix

View all
CVE-2024-27447 CRITICAL
9.8 Feb 26

pretix before 2024.1.1 mishandles file validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex

CVE-2026-57532 HIGH
8.8 Jun 25

Stored cross-site scripting in Pretix's PDF ticket and badge layout editor allows one backend user to inject JavaScript

CVE-2023-44464 HIGH
7.8 Sep 29

pretix before 2023.7.2 allows Pillow to parse EPS files. Rated high severity (CVSS 7.8), this vulnerability is no authen

CVE-2023-27891 HIGH
7.5 Mar 06

rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. Rated high severity (CVSS

CVE-2024-8113 HIGH
7.2 Aug 23

Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tag

CVE-2026-2451 MEDIUM
6.5 Feb 16

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste

CVE-2026-2452 MEDIUM
6.5 Feb 16

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste

CVE-2026-2415 MEDIUM
5.9 Feb 16

Pretix email template placeholder injection enables authenticated backend users to extract sensitive system information

CVE-2026-5600 MEDIUM
5.5 Apr 08

Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organ

CVE-2026-13225 MEDIUM
5.3 Jun 25

HTML injection on pretix's individual ticket confirmation page allows unsanitized email address content to execute arbit

CVE-2023-44463 MEDIUM
5.3 Oct 02

An issue was discovered in pretix before 2023.7.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely expl

CVE-2026-11764 LOW
3.6 Jun 09

Gift card secret exposure in pretix event ticketing software allows a highly privileged user who lacks explicit gift car

Share

CVE-2026-13602 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy