Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N because exploitation is performed remotely via callback replay; AC:H because a prior legitimate payment is a hard prerequisite; PR:N since any public user can make a payment; no confidentiality or availability impact, only limited integrity loss.
Primary rating from Vendor (rami.io).
CVSS VectorVendor: rami.io
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Our payment integration with Oppwa-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.
AnalysisAI
Payment response replay vulnerability in the pretix-oppwa integration allows a remote attacker to reuse a legitimate Oppwa payment confirmation from one transaction to authorize separate, unpaid orders - effectively obtaining multiple valid event tickets with a single payment. All known versions of the pretix-oppwa plugin (cpe:2.3:a:pretix:pretix-oppwa:*) are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have completed at least one successful, real payment through the Oppwa-integrated checkout on the target pretix instance in order to obtain a valid payment status response to replay. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.3 (Medium) accurately reflects the practical barriers: AC:H and AT:P together require the attacker to first complete a genuine Oppwa payment and obtain its success callback, which is not a trivially automated precondition. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker purchases one event ticket legitimately through an Oppwa-integrated pretix checkout, capturing or logging the successful payment status callback delivered to the pretix-oppwa endpoint. The attacker then replays that same valid response against one or more separate, unpaid orders in the same pretix instance, causing the platform to mark those orders as paid and issue valid tickets without any corresponding financial transaction. |
| Remediation | The primary fix is to upgrade the pretix-oppwa plugin to the version released alongside Pretix 2026-5.2, as documented at https://pretix.eu/about/en/blog/20260625-release-2026-5-2/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Pretix Oppwa
View allServer-side URL manipulation in the pretix-oppwa payment plugin (fixed in pretix 2026.5.3) lets a remote attacker exfilt
Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugin
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39414
GHSA-x48c-p6xp-x2xg