Skip to main content

Venueless CVE-2026-4982

| EUVDEUVD-2026-16593 HIGH
Improper Input Validation (CWE-20)
2026-03-27 rami.io
7.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:12 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2026.3.27.e20083a
EUVD ID Assigned
Mar 27, 2026 - 13:00 euvd
EUVD-2026-16593
Analysis Generated
Mar 27, 2026 - 13:00 vuln.today
CVE Published
Mar 27, 2026 - 12:32 nvd
HIGH 7.3

DescriptionCVE.org

A user with permission "update world" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.

The exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages.

AnalysisAI

Venueless instances allow authenticated users with 'update world' permissions to exfiltrate chat messages from direct messages or other worlds' channels via a flaw in the reporting feature, provided the attacker can obtain the target channel's internal UUID. This cross-world information disclosure affects Pretix Venueless across versions prior to patching, and exploitability is constrained by the requirement to discover internal identifiers that are not typically exposed to unauthorized users.

Technical ContextAI

Venueless is a virtual conference platform built by Pretix (cpe:2.3:a:pretix:venueless:*:*:*:*:*:*:*:*). The vulnerability stems from improper input validation (CWE-20) in the message reporting mechanism, which fails to enforce world isolation boundaries when processing channel UUIDs. The reporting feature, intended to allow flagging of inappropriate messages within a user's own world, does not properly validate that the reported channel belongs to the world context where the user holds 'update world' privileges. This allows the authenticated attacker to craft requests targeting channel UUIDs from other worlds, bypassing access control checks and returning message content that should remain isolated.

RemediationAI

Consult the official Venueless security advisory at https://github.com/venueless/venueless/security/advisories/GHSA-6fq7-pgj3-6cfp to obtain the specific patched version and upgrade immediately. The patch should enforce strict world isolation in the reporting feature by validating that any reported channel UUID belongs to the requesting user's current world context before processing. Until patching is possible, restrict assignment of 'update world' permissions to trusted administrators only and disable the message reporting feature if not essential. Additionally, monitor message exfiltration patterns and audit logs for cross-world reporting requests, which would indicate exploitation attempts.

Share

CVE-2026-4982 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy