Skip to main content

pretix-oppwa EUVDEUVD-2026-40958

| CVE-2026-13603 CRITICAL
Improper Input Validation (CWE-20)
2026-07-01 rami.io GHSA-29fq-jc8m-8rq2
9.0
CVSS 4.0 · Vendor: rami.io
Share

Severity by source

Vendor (rami.io) PRIMARY
9.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.3 CRITICAL

Unauthenticated network attacker manipulates resourcePath during the payment return to exfiltrate the provider API token; scope changes to the payment provider system (S:C), with high confidentiality and limited integrity impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Primary rating from Vendor (rami.io).

CVSS VectorVendor: rami.io

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 15:16 EUVD
Analysis Generated
Jul 01, 2026 - 14:21 vuln.today

DescriptionCVE.org

The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following their official documentation, includes a step where the user is redirected from the payment provider back to our system with a query parameter like ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath.

Our plugin pretix-oppwa did so insecurely by concatenating the parameter form the URL to the base domain of the API without further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different server instead. Since the request includes the access token (API key) of the Oppwa account, this would leak the access token, giving access to data contained in the payment provider's system. This is fixed with the release today by strictly validating the given API URL.

After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.

AnalysisAI

Server-side URL manipulation in the pretix-oppwa payment plugin (fixed in pretix 2026.5.3) lets a remote attacker exfiltrate the Oppwa API access token by tampering with the resourcePath return parameter. Because the plugin concatenated the attacker-controlled resourcePath onto the API base domain without a separating slash or validation, a crafted value redirects pretix's server-side status-check request - which carries the account API key - to an attacker-controlled host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enter Oppwa checkout return flow
Delivery
Craft malicious resourcePath parameter
Exploit
Concatenation redirects status fetch to attacker host
Execution
pretix sends request carrying Oppwa API token
Persist
Attacker captures leaked access token
Impact
Access payment provider data with token

Vulnerability AssessmentAI

Exploitation Exploitation requires a pretix deployment running the pretix-oppwa plugin configured with an Oppwa-based payment provider (e.g., VR Payment or Hobex) and reaching the payment-return step where the resourcePath query parameter is processed; the attacker manipulates that resourcePath value so the concatenated (slash-less) base-URL-plus-path resolves to an attacker-controlled host. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score is 9.0 (Critical) with vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L, indicating a network-reachable, low-complexity, unauthenticated flaw with high confidentiality/integrity impact and a scope change into the payment provider system (SC:H/SI:H) - consistent with the described token leakage granting access to provider data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker participating in a checkout through an Oppwa-based provider crafts the resourcePath return parameter so that concatenation with the slash-less base domain yields a URL pointing at a server they control. When pretix performs its server-side transaction status fetch, it sends the Oppwa account access token to the attacker's server, disclosing the API key. …
Remediation Vendor-released patch: update pretix and the pretix-oppwa plugin to the 2026.5.3 release, which strictly validates the constructed API URL - see the advisory at https://pretix.eu/about/en/blog/20260701-release-2026-5-3/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all pretix instances with active Oppwa payment processing; Within 7 days: upgrade all identified instances to pretix version 2026.5.3 or later; Within 30 days: audit Oppwa API access logs for unauthorized activity and rotate any potentially compromised credentials.

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40958 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy