Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds.
AnalysisAI
Cross-world user deletion in venueless allows authenticated API users with 'manage users' permission in one world to delete user accounts in completely separate worlds. Venueless versions prior to commit 02b9cbe5 are affected. The CVSS 7.3 rating reflects network-based attack requiring low-complexity exploitation by authenticated users with low privileges. No public exploit identified at time of analysis, though the vulnerability permits unauthorized data destruction across tenant boundaries in multi-tenant deployments.
Technical ContextAI
Venueless is an open-source virtual event platform supporting multiple isolated 'worlds' (tenant instances). This vulnerability stems from CWE-653 (Improper Isolation or Compartmentalization), indicating insufficient boundary enforcement between tenant contexts. The affected component is venueless (CPE 2.3:a:pretix:venueless), where the API's user deletion functionality fails to validate that the target user account belongs to the same world context as the authenticated session. The CVSS vector AV:N/AC:L/PR:L indicates network-accessible exploitation with low complexity requiring only low-privilege authenticated access, while the high system-level impact metrics (SC:H/SI:H/SA:H) reflect the cross-tenant scope affecting confidentiality, integrity, and availability of other worlds' data.
RemediationAI
Upgrade venueless to a version incorporating commit 02b9cbe5 or later, which addresses the improper tenant isolation flaw. The upstream fix is available through the GitHub repository, as referenced in the security advisory at https://github.com/venueless/venueless/security/advisories/GHSA-gwjc-33fv-2gh4. Organizations should immediately apply this patch for any multi-world venueless deployments. As an interim mitigation, review and restrict API access credentials and 'manage users' permissions to only highly trusted administrators, and implement additional monitoring for cross-world user deletion API calls until patching is complete. Operators should audit recent user deletion activity logs to identify any potential exploitation prior to remediation.
Venueless instances allow authenticated users with 'update world' permissions to exfiltrate chat messages from direct me
Unvalidated redirect in Venueless social login allows phishing attacks by abusing the trusted domain reputation of legit
Formula injection in Venueless Excel exports allows an attacker with a low-privilege account to embed malicious spreadsh
Incorrect authorization logic during room creation in Venueless permits authenticated low-privilege users to create room
Same weakness CWE-653 – Improper Isolation or Compartmentalization
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19085