Skip to main content

Venueless CVE-2026-5599

| EUVDEUVD-2026-19085 HIGH
Improper Isolation or Compartmentalization (CWE-653)
2026-04-05 rami.io
7.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:06 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
02b9cbe5
EUVD ID Assigned
Apr 05, 2026 - 12:45 euvd
EUVD-2026-19085
Analysis Generated
Apr 05, 2026 - 12:45 vuln.today
CVE Published
Apr 05, 2026 - 12:36 nvd
HIGH 7.3

DescriptionCVE.org

A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds.

AnalysisAI

Cross-world user deletion in venueless allows authenticated API users with 'manage users' permission in one world to delete user accounts in completely separate worlds. Venueless versions prior to commit 02b9cbe5 are affected. The CVSS 7.3 rating reflects network-based attack requiring low-complexity exploitation by authenticated users with low privileges. No public exploit identified at time of analysis, though the vulnerability permits unauthorized data destruction across tenant boundaries in multi-tenant deployments.

Technical ContextAI

Venueless is an open-source virtual event platform supporting multiple isolated 'worlds' (tenant instances). This vulnerability stems from CWE-653 (Improper Isolation or Compartmentalization), indicating insufficient boundary enforcement between tenant contexts. The affected component is venueless (CPE 2.3:a:pretix:venueless), where the API's user deletion functionality fails to validate that the target user account belongs to the same world context as the authenticated session. The CVSS vector AV:N/AC:L/PR:L indicates network-accessible exploitation with low complexity requiring only low-privilege authenticated access, while the high system-level impact metrics (SC:H/SI:H/SA:H) reflect the cross-tenant scope affecting confidentiality, integrity, and availability of other worlds' data.

RemediationAI

Upgrade venueless to a version incorporating commit 02b9cbe5 or later, which addresses the improper tenant isolation flaw. The upstream fix is available through the GitHub repository, as referenced in the security advisory at https://github.com/venueless/venueless/security/advisories/GHSA-gwjc-33fv-2gh4. Organizations should immediately apply this patch for any multi-world venueless deployments. As an interim mitigation, review and restrict API access credentials and 'manage users' permissions to only highly trusted administrators, and implement additional monitoring for cross-world user deletion API calls until patching is complete. Operators should audit recent user deletion activity logs to identify any potential exploitation prior to remediation.

Share

CVE-2026-5599 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy