Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places in pretix when temporary files are generated for internal use or download.
One remaining API endpoint, however, wrongfully did not verify if the UUID used for download actually belongs to a file that is supposed to be downloadable and belongs to the correct user. In reality, this is hard to exploit because an attacker would need to have access to a valid UUID for the file they desire which is unlikely to happen without a separate security problem giving them access to logs etc.
AnalysisAI
Unauthorized file download in pretix's export API allows an authenticated attacker to retrieve export files belonging to other users by supplying a UUID not associated with their own account. Affected versions span a wide range from pretix 2024.10.0 through the 2026.4.x series prior to the 2026.4.2 patch. Exploitation is significantly constrained by the CVSS 4.0 AT:P (Attack Target: Prerequisite) condition - the attacker must independently obtain a valid UUID for a target file, making opportunistic exploitation unlikely absent a secondary information-disclosure weakness. No public exploit code exists and no active exploitation has been identified at time of analysis.
Technical ContextAI
pretix is an open-source event ticketing and registration platform with a REST API. When an API client triggers an export job, pretix generates a UUID-based job identifier and later produces a temporary file keyed by that same UUID. CWE-639 (Authorization Bypass Through User-Controlled Key) describes the root cause precisely: the system uses a user-controllable value (the UUID) as the sole authorization token for file retrieval at one specific download endpoint, without binding it back to the authenticated session or verifying ownership. This is a classic Insecure Direct Object Reference (IDOR). The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L) confirms the attack is network-reachable and low-complexity once prerequisites are met, but the AT:P modifier captures the mandatory precondition: possessing a valid UUID for the target resource. The high confidentiality impact ratings on both the vulnerable system (VC:H) and subsequent/scope systems (SC:H) reflect that export files may contain sensitive event registration, attendee, or financial data.
RemediationAI
Upgrade to pretix 2026.4.2, which addresses the missing authorization check on the affected download endpoint per the vendor release blog at https://pretix.eu/about/en/blog/20260527-release-2026-4-2/. The patch version 2026.4.2 is inferred from the URL naming convention in the provided reference - it has not been independently verified against a separate changelog or release tag, so operators should confirm the exact patched version against the vendor advisory before deploying. For deployments that cannot be immediately upgraded, a compensating control is to restrict API access to the download endpoint at the network or WAF level to only those IP ranges or API clients that legitimately require it, thereby reducing the pool of authenticated accounts that could exploit the IDOR. Note that this workaround does not eliminate the flaw and may impact legitimate export workflows. Reviewing API access logs for any UUID values appearing across multiple authenticated sessions would help detect prior exploitation attempts.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32530
GHSA-72p9-6vv6-gvqh