3.8

CVE-2026-9712

Insecure direct object reference

When creating an export through the pretix API, API clients are 
returned an UUID value for their export job (a long, random string like 
35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client 
can then request the actual file for download. The same kind of UUID is 
used in other places in pretix when temporary files are generated for 
internal use or download.




One remaining API endpoint, however, wrongfully did not verify if the
 UUID used for download actually belongs to a file that is supposed to 
be downloadable and belongs to the correct user. In reality, this is 
hard to exploit because an attacker would need to have access to a valid
 UUID for the file they desire which is unlikely to happen without a 
separate security problem giving them access to logs etc.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerpretix
Produkt pretix
Default Statusunaffected
Version 2024.10.0
Version < 2026.2.0
Status affected
Version 2026.2.0
Version < 2026.3.0
Status affected
Version 2026.3.0
Version < 2026.4.0
Status affected
Version 2026.4.0
Version < 2026.5.0
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.22% 0.121
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
655498c3-6ec5-4f0b-aea6-853b334d05a6 3.8 0 0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://pretix.eu/about/en/blog/20260527-release-2026-4-2/