Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those they should not have access to.
These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:
{ "id": 123, "successful": true, "error_reason": null, "error_explanation": null, "position": 321, "datetime": "2020-08-23T09:00:00+02:00", "list": 456, "created": "2020-08-23T09:00:00+02:00", "auto_checked_in": false, "gate": null, "device": 1, "device_id": 1, "type": "entry" }
An unauthorized user usually has no way to match these IDs (position) back to individual people.
AnalysisAI
Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organizer rather than a specific event, exposing ticket scan records (including scan timestamps, results, and ticket IDs) across unauthorized events to authenticated API consumers with high-level organizer privileges. The vulnerability affects pretix 2025.10.0 through 2026.3.0, allowing privileged users to access sensitive event data they should not be permitted to view, though individual attendee identity linkage requires additional context not provided by the API response alone.
Technical ContextAI
The vulnerability stems from improper scope enforcement in a newly introduced API endpoint (CWE-653: Improper Authorization). Rather than filtering check-in event records by the requested event identifier, the endpoint applies authorization logic at the organizer level only, returning all scan events associated with the user's organizer context. Check-in events are sensitive records containing structured data about ticket validations (position IDs, scan timestamps, gate information, and device identifiers). The affected product is pretix, an open-source ticket sales and event management platform (CPE: cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*). The root cause is insufficient parameter validation or query filtering when constructing the API response-the endpoint accepts an event parameter but does not enforce it in the database query or response filtering logic.
RemediationAI
Vendor-released patches are available: upgrade to pretix 2026.2.1 or later (for 2026.2.x branch), pretix 2026.3.1 or later (for 2026.3.x branch), or pretix 2026.1.2 or later (for 2025.10.x through 2026.1.x). Detailed patch information and release notes are available at https://pretix.eu/about/en/blog/20260408-release-2026-3-1/. As an interim workaround, organizations should audit API consumer access controls and revoke high-privilege API credentials for organizers or applications that do not require check-in event API access. Review API logs to identify any unauthorized cross-organizer check-in data access patterns and assess whether exposed check-in events (which contain ticket IDs and scan metadata but not direct PII) have been correlated with external data to re-identify attendees.
pretix before 2024.1.1 mishandles file validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex
Stored cross-site scripting in Pretix's PDF ticket and badge layout editor allows one backend user to inject JavaScript
pretix before 2023.7.2 allows Pillow to parse EPS files. Rated high severity (CVSS 7.8), this vulnerability is no authen
Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugin
rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. Rated high severity (CVSS
Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tag
Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste
Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste
Pretix email template placeholder injection enables authenticated backend users to extract sensitive system information
HTML injection on pretix's individual ticket confirmation page allows unsanitized email address content to execute arbit
An issue was discovered in pretix before 2023.7.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely expl
Gift card secret exposure in pretix event ticketing software allows a highly privileged user who lacks explicit gift car
Same weakness CWE-653 – Improper Isolation or Compartmentalization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20463
GHSA-wr8q-c73g-m7gp