Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network attacker manipulates resourcePath during the payment return to exfiltrate the provider API token; scope changes to the payment provider system (S:C), with high confidentiality and limited integrity impact.
Primary rating from Vendor (rami.io).
CVSS VectorVendor: rami.io
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following their official documentation, includes a step where the user is redirected from the payment provider back to our system with a query parameter like ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath.
Our plugin pretix-oppwa did so insecurely by concatenating the parameter form the URL to the base domain of the API without further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different server instead. Since the request includes the access token (API key) of the Oppwa account, this would leak the access token, giving access to data contained in the payment provider's system. This is fixed with the release today by strictly validating the given API URL.
After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.
AnalysisAI
Server-side URL manipulation in the pretix-oppwa payment plugin (fixed in pretix 2026.5.3) lets a remote attacker exfiltrate the Oppwa API access token by tampering with the resourcePath return parameter. Because the plugin concatenated the attacker-controlled resourcePath onto the API base domain without a separating slash or validation, a crafted value redirects pretix's server-side status-check request - which carries the account API key - to an attacker-controlled host. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a pretix deployment running the pretix-oppwa plugin configured with an Oppwa-based payment provider (e.g., VR Payment or Hobex) and reaching the payment-return step where the resourcePath query parameter is processed; the attacker manipulates that resourcePath value so the concatenated (slash-less) base-URL-plus-path resolves to an attacker-controlled host. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score is 9.0 (Critical) with vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L, indicating a network-reachable, low-complexity, unauthenticated flaw with high confidentiality/integrity impact and a scope change into the payment provider system (SC:H/SI:H) - consistent with the described token leakage granting access to provider data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker participating in a checkout through an Oppwa-based provider crafts the resourcePath return parameter so that concatenation with the slash-less base domain yields a URL pointing at a server they control. When pretix performs its server-side transaction status fetch, it sends the Oppwa account access token to the attacker's server, disclosing the API key. … |
| Remediation | Vendor-released patch: update pretix and the pretix-oppwa plugin to the 2026.5.3 release, which strictly validates the constructed API URL - see the advisory at https://pretix.eu/about/en/blog/20260701-release-2026-5-3/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all pretix instances with active Oppwa payment processing; Within 7 days: upgrade all identified instances to pretix version 2026.5.3 or later; Within 30 days: audit Oppwa API access logs for unauthorized activity and rotate any potentially compromised credentials.
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Pretix Oppwa
View allPrivilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugin
Payment response replay vulnerability in the pretix-oppwa integration allows a remote attacker to reuse a legitimate Opp
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40958
GHSA-29fq-jc8m-8rq2