Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A user with permission "update world" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.
The exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages.
AnalysisAI
Venueless instances allow authenticated users with 'update world' permissions to exfiltrate chat messages from direct messages or other worlds' channels via a flaw in the reporting feature, provided the attacker can obtain the target channel's internal UUID. This cross-world information disclosure affects Pretix Venueless across versions prior to patching, and exploitability is constrained by the requirement to discover internal identifiers that are not typically exposed to unauthorized users.
Technical ContextAI
Venueless is a virtual conference platform built by Pretix (cpe:2.3:a:pretix:venueless:*:*:*:*:*:*:*:*). The vulnerability stems from improper input validation (CWE-20) in the message reporting mechanism, which fails to enforce world isolation boundaries when processing channel UUIDs. The reporting feature, intended to allow flagging of inappropriate messages within a user's own world, does not properly validate that the reported channel belongs to the world context where the user holds 'update world' privileges. This allows the authenticated attacker to craft requests targeting channel UUIDs from other worlds, bypassing access control checks and returning message content that should remain isolated.
RemediationAI
Consult the official Venueless security advisory at https://github.com/venueless/venueless/security/advisories/GHSA-6fq7-pgj3-6cfp to obtain the specific patched version and upgrade immediately. The patch should enforce strict world isolation in the reporting feature by validating that any reported channel UUID belongs to the requesting user's current world context before processing. Until patching is possible, restrict assignment of 'update world' permissions to trusted administrators only and disable the message reporting feature if not essential. Additionally, monitor message exfiltration patterns and audit logs for cross-world reporting requests, which would indicate exploitation attempts.
Cross-world user deletion in venueless allows authenticated API users with 'manage users' permission in one world to del
Unvalidated redirect in Venueless social login allows phishing attacks by abusing the trusted domain reputation of legit
Formula injection in Venueless Excel exports allows an attacker with a low-privilege account to embed malicious spreadsh
Incorrect authorization logic during room creation in Venueless permits authenticated low-privilege users to create room
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16593