Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for pretix-oppwa by pretix

    CVE-2026-13602 (GCVE-0-2026-13602)

    Vulnerability from nvd – Published: 2026-07-01 13:45 – Updated: 2026-07-01 15:27
    VLAI
    Title
    Session takeover vulnerability
    Summary
    We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data: * The payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay contain a code path that is intended for the transport of session parameters from a tab with isolated cookies (e.g. in the pretix widget) to a new tab. For this purpose, a set of session parameters is cryptographically signed and then passed to the new tab as a URL parameter. The plugins perform no further validation of the session parameters, other than the cryptographic signature being valid. This is fixed with the releases issued today by strictly validating that no session parameters outside of the scope of the respective plugin may be set. * An unrelated feature in the core system is used to generate redirect links that obfuscate any Referer headers for outgoing links to prevent leakage of secrets in URLs. This redirect page also requires cryptographically signed parameters. Unfortunately, it uses the same key and salt for the signature as the previously mentioned feature in the payment integration plugins. A motivated attacker with access to at least one event in the backend can trick the system into cryptographically signing arbitrary content using specially crafted links. In combination with the previous issue, the attacker could use this to set and modify arbitrary parameters on their user session by injecting the signed parameters into the feature of the payment providers. This is fixed with the releases issued today by using different salts for the signature for each plugin and feature. * A third, unrelated feature in the core system is used for admin users to act on behalf of another user, mostly for debugging purposes. With being able to insert arbitrary parameters into a session, an attacker can abuse this feature to change their session from their actual user to any user in the system by guessing a valid user ID. This is fixed with the release today by requiring unguessable information to be contained in the session of the user to switch to.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    • CWE-323 - Reusing a nonce, key pair in encryption
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 4.14.0 , < 2026.3.5 (python)
    Affected: 2026.4.0 , < 2026.4.5 (python)
    Affected: 2026.5.0 , < 2026.5.3 (python)
    Create a notification for this product.
    pretix pretix-mollie Affected: 0 , < 2.5.7 (python)
    Create a notification for this product.
    pretix pretix-oppwa Affected: 0 , < 1.4.4 (python)
    Create a notification for this product.
    pretix pretix-bitpay Affected: 0 , < 1.5.3 (python)
    Create a notification for this product.
    pretix pretix-payone Affected: 0 , < 1.4.3 (python)
    Create a notification for this product.
    pretix pretix-secuconnect Affected: 0 , < 1.0.4 (python)
    Create a notification for this product.
    pretix pretix-sofort Affected: 0 , < 1.4.2 (python)
    Create a notification for this product.
    pretix pretix-saferpay Affected: 0 , < 1.6.3 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13602",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:26:54.400278Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:27:00.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.5",
                  "status": "affected",
                  "version": "4.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.4.5",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.5.3",
                  "status": "affected",
                  "version": "2026.5.0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-mollie",
              "product": "pretix-mollie",
              "repo": "https://github.com/pretix/pretix-mollie",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2.5.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-oppwa",
              "product": "pretix-oppwa",
              "repo": "https://github.com/pretix/pretix-oppwa",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-bitpay",
              "product": "pretix-bitpay",
              "repo": "https://github.com/pretix/pretix-bitpay",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.5.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-payone",
              "product": "pretix-payone",
              "repo": "https://github.com/pretix/pretix-payone",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-secuconnect",
              "product": "pretix-secuconnect",
              "repo": "https://github.com/pretix/pretix-secuconnect",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-sofort",
              "product": "pretix-sofort",
              "repo": "https://github.com/pretix/pretix-sofort",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-saferpay",
              "product": "pretix-saferpay",
              "repo": "https://github.com/pretix/pretix-saferpay",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.6.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eWe found a chain of combining multiple weaknesses in the product that could allow an attacker to become \u003cstrong\u003eany\u003c/strong\u003e user in the backend and access \u003cstrong\u003eany\u003c/strong\u003e data:\u003c/p\u003e\u003cp\u003e\n\u003c/p\u003e\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eThe payment integration plugins Stripe (included in the core system), \u003ccode\u003epretix-mollie\u003c/code\u003e, \u003ccode\u003epretix-oppwa\u003c/code\u003e, \u003ccode\u003epretix-bitpay\u003c/code\u003e, \u003ccode\u003epretix-payone\u003c/code\u003e, \u003ccode\u003epretix-secuconnect\u003c/code\u003e, \u003ccode\u003epretix-sofort\u003c/code\u003e, and \u003ccode\u003epretix-saferpay\u003c/code\u003e\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAn unrelated feature in the core system is used to generate redirect links that obfuscate any \u003ccode\u003eReferer\u003c/code\u003e\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to.\u003c/p\u003e\n\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:\n\n\n\n\n\n\n\n  *  \n\n\nThe payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\n\n\n\n\n  *  \n\n\nAn unrelated feature in the core system is used to generate redirect links that obfuscate any Referer\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\n\n\n\n\n  *  \n\n\nA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            },
            {
              "capecId": "CAPEC-61",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-61 Session Fixation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-323",
                  "description": "CWE-323 Reusing a nonce, key pair in encryption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T13:45:30.615Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260701-release-2026-5-3/"
            }
          ],
          "title": "Session takeover vulnerability",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "If you are unable to update quickly, we recommend to block the URL \u003ccode\u003e/control/users/impersonate/stop\u003c/code\u003e in your webserver configuration. In nginx, you can do this by inserting \u003ccode\u003elocation /control/users/impersonate/stop { deny all; }\u003c/code\u003e\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
                }
              ],
              "value": "If you are unable to update quickly, we recommend to block the URL /control/users/impersonate/stop in your webserver configuration. In nginx, you can do this by inserting location /control/users/impersonate/stop { deny all; }\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-13602",
        "datePublished": "2026-07-01T13:45:30.615Z",
        "dateReserved": "2026-06-29T08:26:50.725Z",
        "dateUpdated": "2026-07-01T15:27:00.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13603 (GCVE-0-2026-13603)

    Vulnerability from nvd – Published: 2026-07-01 13:18 – Updated: 2026-07-01 14:07
    VLAI
    Title
    SSRF with API key leak in pretix-oppwa
    Summary
    The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following their official documentation, includes a step where the user is redirected from the payment provider back to our system with a query parameter like ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath. Our plugin pretix-oppwa did so insecurely by concatenating the parameter form the URL to the base domain of the API without further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different server instead. Since the request includes the access token (API key) of the Oppwa account, this would leak the access token, giving access to data contained in the payment provider's system. This is fixed with the release today by strictly validating the given API URL. After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    • CWE-918 - Server-Side request forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix-oppwa Affected: 0 , < 1.4.4 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13603",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T14:07:27.700177Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T14:07:36.332Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-oppwa",
              "product": "pretix-oppwa",
              "repo": "https://github.com/pretix/pretix-oppwa",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe payment integration \u003ccode\u003epretix-oppwa\u003c/code\u003e provides support \nfor the payment providers VR Payment, Hobex, and potentially others \nbased on Oppwa\u0027s technology. The integration of Oppwa, following their \nofficial documentation, includes a step where the user is redirected \nfrom the payment provider back to our system with a query parameter like\n \u003ccode\u003e?resourcePath=/v1/checkouts/{checkoutId}/payment\u003c/code\u003e in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by \u003ccode\u003ebaseUrl + resourcePath\u003c/code\u003e.\u003c/p\u003e\u003cp\u003eOur plugin \u003ccode\u003epretix-oppwa\u003c/code\u003e did so insecurely by \nconcatenating the parameter form the URL to the base domain of the API \nwithout further validation and, critically, without a \u003ccode\u003e/\u003c/code\u003e at the end of the \u003ccode\u003ebaseUrl\u003c/code\u003e. Therefore, an attacker could inject a \u003ccode\u003eresourcePath\u003c/code\u003e argument in a way that causes pretix to call a \u003cem\u003edifferent\u003c/em\u003e\n server instead. Since the request includes the access token (API key) \nof the Oppwa account, this would leak the access token, giving access to\n data contained in the payment provider\u0027s system. This is fixed with the\n release today by strictly validating the given API URL.\u003c/p\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAfter installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.\u003c/strong\u003e\u003c/p\u003e"
                }
              ],
              "value": "The payment integration pretix-oppwa provides support \nfor the payment providers VR Payment, Hobex, and potentially others \nbased on Oppwa\u0027s technology. The integration of Oppwa, following their \nofficial documentation, includes a step where the user is redirected \nfrom the payment provider back to our system with a query parameter like\n ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath.\n\n\n\nOur plugin pretix-oppwa did so insecurely by \nconcatenating the parameter form the URL to the base domain of the API \nwithout further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different\n server instead. Since the request includes the access token (API key) \nof the Oppwa account, this would leak the access token, giving access to\n data contained in the payment provider\u0027s system. This is fixed with the\n release today by strictly validating the given API URL.\n\n\n\n\n\n\n\n\n\nAfter installing the update, we recommend asking your payment provider for a new access token and updating it in pretix."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            },
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side request forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T13:18:09.434Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260701-release-2026-5-3/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cstrong\u003eAfter installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.\u003c/strong\u003e\u003cdiv\u003e\u003cstrong\u003eAttack detection:\u003c/strong\u003e If you have access logs, you can search them for \u003ccode\u003eresourcePath=\u003c/code\u003e not followed by a \u003ccode\u003e/\u003c/code\u003e or encoded slash \u003ccode\u003e%2F\u003c/code\u003e.\u003cstrong\u003e\u003c/strong\u003e\u003c/div\u003e"
                }
              ],
              "value": "After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.Attack detection: If you have access logs, you can search them for resourcePath= not followed by a / or encoded slash %2F."
            }
          ],
          "title": "SSRF with API key leak in pretix-oppwa",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cstrong\u003eWorkaround:\u003c/strong\u003e If you are unable to update pretix quickly, we still recommend to try installing the \u003ccode\u003epretix-oppwa\u003c/code\u003e\n plugin in the latest version. We have not tested it with every old \npretix release, but we expect it to be compatible with any version after\n 2025.1. Otherwise, we recommend to \u003cstrong\u003euninstall\u003c/strong\u003e the \u003ccode\u003epretix-oppwa\u003c/code\u003e plugin."
                }
              ],
              "value": "Workaround: If you are unable to update pretix quickly, we still recommend to try installing the pretix-oppwa\n plugin in the latest version. We have not tested it with every old \npretix release, but we expect it to be compatible with any version after\n 2025.1. Otherwise, we recommend to uninstall the pretix-oppwa plugin."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-13603",
        "datePublished": "2026-07-01T13:18:09.434Z",
        "dateReserved": "2026-06-29T08:26:51.607Z",
        "dateUpdated": "2026-07-01T14:07:36.332Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13222 (GCVE-0-2026-13222)

    Vulnerability from nvd – Published: 2026-06-25 14:07 – Updated: 2026-06-25 15:13
    VLAI
    Title
    Insufficient validation of payment status in pretix-oppwa
    Summary
    Our payment integration with Oppwa-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-841 - Improper enforcement of behavioral workflow
    Assigner
    Impacted products
    Vendor Product Version
    pretix pretix-oppwa Affected: 0 , < 1.4.3 (python)
    Create a notification for this product.
    Credits
    Deepjyoti Roy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13222",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T15:13:47.859125Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T15:13:53.504Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-oppw",
              "product": "pretix-oppwa",
              "repo": "https://github.com/pretix/pretix-oppwa",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Deepjyoti Roy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Our payment integration with Oppwa-based payment methods did not \nproperly validate payment status responses. An attacker could use a \nsuccessful payment status response from one payment and supply it to the\n system for a different payment, gaining access to multiple valid \ntickets with only one payment."
                }
              ],
              "value": "Our payment integration with Oppwa-based payment methods did not \nproperly validate payment status responses. An attacker could use a \nsuccessful payment status response from one payment and supply it to the\n system for a different payment, gaining access to multiple valid \ntickets with only one payment."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-21",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-21 Exploitation of Trusted Identifiers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-841",
                  "description": "CWE-841 Improper enforcement of behavioral workflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T14:16:55.922Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
            }
          ],
          "title": "Insufficient validation of payment status in pretix-oppwa",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-13222",
        "datePublished": "2026-06-25T14:07:03.521Z",
        "dateReserved": "2026-06-24T16:01:13.668Z",
        "dateUpdated": "2026-06-25T15:13:53.504Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13602 (GCVE-0-2026-13602)

    Vulnerability from cvelistv5 – Published: 2026-07-01 13:45 – Updated: 2026-07-01 15:27
    VLAI
    Title
    Session takeover vulnerability
    Summary
    We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data: * The payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay contain a code path that is intended for the transport of session parameters from a tab with isolated cookies (e.g. in the pretix widget) to a new tab. For this purpose, a set of session parameters is cryptographically signed and then passed to the new tab as a URL parameter. The plugins perform no further validation of the session parameters, other than the cryptographic signature being valid. This is fixed with the releases issued today by strictly validating that no session parameters outside of the scope of the respective plugin may be set. * An unrelated feature in the core system is used to generate redirect links that obfuscate any Referer headers for outgoing links to prevent leakage of secrets in URLs. This redirect page also requires cryptographically signed parameters. Unfortunately, it uses the same key and salt for the signature as the previously mentioned feature in the payment integration plugins. A motivated attacker with access to at least one event in the backend can trick the system into cryptographically signing arbitrary content using specially crafted links. In combination with the previous issue, the attacker could use this to set and modify arbitrary parameters on their user session by injecting the signed parameters into the feature of the payment providers. This is fixed with the releases issued today by using different salts for the signature for each plugin and feature. * A third, unrelated feature in the core system is used for admin users to act on behalf of another user, mostly for debugging purposes. With being able to insert arbitrary parameters into a session, an attacker can abuse this feature to change their session from their actual user to any user in the system by guessing a valid user ID. This is fixed with the release today by requiring unguessable information to be contained in the session of the user to switch to.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    • CWE-323 - Reusing a nonce, key pair in encryption
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 4.14.0 , < 2026.3.5 (python)
    Affected: 2026.4.0 , < 2026.4.5 (python)
    Affected: 2026.5.0 , < 2026.5.3 (python)
    Create a notification for this product.
    pretix pretix-mollie Affected: 0 , < 2.5.7 (python)
    Create a notification for this product.
    pretix pretix-oppwa Affected: 0 , < 1.4.4 (python)
    Create a notification for this product.
    pretix pretix-bitpay Affected: 0 , < 1.5.3 (python)
    Create a notification for this product.
    pretix pretix-payone Affected: 0 , < 1.4.3 (python)
    Create a notification for this product.
    pretix pretix-secuconnect Affected: 0 , < 1.0.4 (python)
    Create a notification for this product.
    pretix pretix-sofort Affected: 0 , < 1.4.2 (python)
    Create a notification for this product.
    pretix pretix-saferpay Affected: 0 , < 1.6.3 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13602",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:26:54.400278Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:27:00.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.5",
                  "status": "affected",
                  "version": "4.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.4.5",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.5.3",
                  "status": "affected",
                  "version": "2026.5.0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-mollie",
              "product": "pretix-mollie",
              "repo": "https://github.com/pretix/pretix-mollie",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2.5.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-oppwa",
              "product": "pretix-oppwa",
              "repo": "https://github.com/pretix/pretix-oppwa",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-bitpay",
              "product": "pretix-bitpay",
              "repo": "https://github.com/pretix/pretix-bitpay",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.5.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-payone",
              "product": "pretix-payone",
              "repo": "https://github.com/pretix/pretix-payone",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-secuconnect",
              "product": "pretix-secuconnect",
              "repo": "https://github.com/pretix/pretix-secuconnect",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-sofort",
              "product": "pretix-sofort",
              "repo": "https://github.com/pretix/pretix-sofort",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-saferpay",
              "product": "pretix-saferpay",
              "repo": "https://github.com/pretix/pretix-saferpay",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.6.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eWe found a chain of combining multiple weaknesses in the product that could allow an attacker to become \u003cstrong\u003eany\u003c/strong\u003e user in the backend and access \u003cstrong\u003eany\u003c/strong\u003e data:\u003c/p\u003e\u003cp\u003e\n\u003c/p\u003e\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eThe payment integration plugins Stripe (included in the core system), \u003ccode\u003epretix-mollie\u003c/code\u003e, \u003ccode\u003epretix-oppwa\u003c/code\u003e, \u003ccode\u003epretix-bitpay\u003c/code\u003e, \u003ccode\u003epretix-payone\u003c/code\u003e, \u003ccode\u003epretix-secuconnect\u003c/code\u003e, \u003ccode\u003epretix-sofort\u003c/code\u003e, and \u003ccode\u003epretix-saferpay\u003c/code\u003e\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAn unrelated feature in the core system is used to generate redirect links that obfuscate any \u003ccode\u003eReferer\u003c/code\u003e\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to.\u003c/p\u003e\n\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:\n\n\n\n\n\n\n\n  *  \n\n\nThe payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\n\n\n\n\n  *  \n\n\nAn unrelated feature in the core system is used to generate redirect links that obfuscate any Referer\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\n\n\n\n\n  *  \n\n\nA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            },
            {
              "capecId": "CAPEC-61",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-61 Session Fixation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-323",
                  "description": "CWE-323 Reusing a nonce, key pair in encryption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T13:45:30.615Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260701-release-2026-5-3/"
            }
          ],
          "title": "Session takeover vulnerability",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "If you are unable to update quickly, we recommend to block the URL \u003ccode\u003e/control/users/impersonate/stop\u003c/code\u003e in your webserver configuration. In nginx, you can do this by inserting \u003ccode\u003elocation /control/users/impersonate/stop { deny all; }\u003c/code\u003e\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
                }
              ],
              "value": "If you are unable to update quickly, we recommend to block the URL /control/users/impersonate/stop in your webserver configuration. In nginx, you can do this by inserting location /control/users/impersonate/stop { deny all; }\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-13602",
        "datePublished": "2026-07-01T13:45:30.615Z",
        "dateReserved": "2026-06-29T08:26:50.725Z",
        "dateUpdated": "2026-07-01T15:27:00.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13603 (GCVE-0-2026-13603)

    Vulnerability from cvelistv5 – Published: 2026-07-01 13:18 – Updated: 2026-07-01 14:07
    VLAI
    Title
    SSRF with API key leak in pretix-oppwa
    Summary
    The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following their official documentation, includes a step where the user is redirected from the payment provider back to our system with a query parameter like ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath. Our plugin pretix-oppwa did so insecurely by concatenating the parameter form the URL to the base domain of the API without further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different server instead. Since the request includes the access token (API key) of the Oppwa account, this would leak the access token, giving access to data contained in the payment provider's system. This is fixed with the release today by strictly validating the given API URL. After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    • CWE-918 - Server-Side request forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix-oppwa Affected: 0 , < 1.4.4 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13603",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T14:07:27.700177Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T14:07:36.332Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-oppwa",
              "product": "pretix-oppwa",
              "repo": "https://github.com/pretix/pretix-oppwa",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe payment integration \u003ccode\u003epretix-oppwa\u003c/code\u003e provides support \nfor the payment providers VR Payment, Hobex, and potentially others \nbased on Oppwa\u0027s technology. The integration of Oppwa, following their \nofficial documentation, includes a step where the user is redirected \nfrom the payment provider back to our system with a query parameter like\n \u003ccode\u003e?resourcePath=/v1/checkouts/{checkoutId}/payment\u003c/code\u003e in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by \u003ccode\u003ebaseUrl + resourcePath\u003c/code\u003e.\u003c/p\u003e\u003cp\u003eOur plugin \u003ccode\u003epretix-oppwa\u003c/code\u003e did so insecurely by \nconcatenating the parameter form the URL to the base domain of the API \nwithout further validation and, critically, without a \u003ccode\u003e/\u003c/code\u003e at the end of the \u003ccode\u003ebaseUrl\u003c/code\u003e. Therefore, an attacker could inject a \u003ccode\u003eresourcePath\u003c/code\u003e argument in a way that causes pretix to call a \u003cem\u003edifferent\u003c/em\u003e\n server instead. Since the request includes the access token (API key) \nof the Oppwa account, this would leak the access token, giving access to\n data contained in the payment provider\u0027s system. This is fixed with the\n release today by strictly validating the given API URL.\u003c/p\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAfter installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.\u003c/strong\u003e\u003c/p\u003e"
                }
              ],
              "value": "The payment integration pretix-oppwa provides support \nfor the payment providers VR Payment, Hobex, and potentially others \nbased on Oppwa\u0027s technology. The integration of Oppwa, following their \nofficial documentation, includes a step where the user is redirected \nfrom the payment provider back to our system with a query parameter like\n ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath.\n\n\n\nOur plugin pretix-oppwa did so insecurely by \nconcatenating the parameter form the URL to the base domain of the API \nwithout further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different\n server instead. Since the request includes the access token (API key) \nof the Oppwa account, this would leak the access token, giving access to\n data contained in the payment provider\u0027s system. This is fixed with the\n release today by strictly validating the given API URL.\n\n\n\n\n\n\n\n\n\nAfter installing the update, we recommend asking your payment provider for a new access token and updating it in pretix."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            },
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side request forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T13:18:09.434Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260701-release-2026-5-3/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cstrong\u003eAfter installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.\u003c/strong\u003e\u003cdiv\u003e\u003cstrong\u003eAttack detection:\u003c/strong\u003e If you have access logs, you can search them for \u003ccode\u003eresourcePath=\u003c/code\u003e not followed by a \u003ccode\u003e/\u003c/code\u003e or encoded slash \u003ccode\u003e%2F\u003c/code\u003e.\u003cstrong\u003e\u003c/strong\u003e\u003c/div\u003e"
                }
              ],
              "value": "After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.Attack detection: If you have access logs, you can search them for resourcePath= not followed by a / or encoded slash %2F."
            }
          ],
          "title": "SSRF with API key leak in pretix-oppwa",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cstrong\u003eWorkaround:\u003c/strong\u003e If you are unable to update pretix quickly, we still recommend to try installing the \u003ccode\u003epretix-oppwa\u003c/code\u003e\n plugin in the latest version. We have not tested it with every old \npretix release, but we expect it to be compatible with any version after\n 2025.1. Otherwise, we recommend to \u003cstrong\u003euninstall\u003c/strong\u003e the \u003ccode\u003epretix-oppwa\u003c/code\u003e plugin."
                }
              ],
              "value": "Workaround: If you are unable to update pretix quickly, we still recommend to try installing the pretix-oppwa\n plugin in the latest version. We have not tested it with every old \npretix release, but we expect it to be compatible with any version after\n 2025.1. Otherwise, we recommend to uninstall the pretix-oppwa plugin."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-13603",
        "datePublished": "2026-07-01T13:18:09.434Z",
        "dateReserved": "2026-06-29T08:26:51.607Z",
        "dateUpdated": "2026-07-01T14:07:36.332Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13222 (GCVE-0-2026-13222)

    Vulnerability from cvelistv5 – Published: 2026-06-25 14:07 – Updated: 2026-06-25 15:13
    VLAI
    Title
    Insufficient validation of payment status in pretix-oppwa
    Summary
    Our payment integration with Oppwa-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-841 - Improper enforcement of behavioral workflow
    Assigner
    Impacted products
    Vendor Product Version
    pretix pretix-oppwa Affected: 0 , < 1.4.3 (python)
    Create a notification for this product.
    Credits
    Deepjyoti Roy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13222",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T15:13:47.859125Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T15:13:53.504Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-oppw",
              "product": "pretix-oppwa",
              "repo": "https://github.com/pretix/pretix-oppwa",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Deepjyoti Roy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Our payment integration with Oppwa-based payment methods did not \nproperly validate payment status responses. An attacker could use a \nsuccessful payment status response from one payment and supply it to the\n system for a different payment, gaining access to multiple valid \ntickets with only one payment."
                }
              ],
              "value": "Our payment integration with Oppwa-based payment methods did not \nproperly validate payment status responses. An attacker could use a \nsuccessful payment status response from one payment and supply it to the\n system for a different payment, gaining access to multiple valid \ntickets with only one payment."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-21",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-21 Exploitation of Trusted Identifiers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-841",
                  "description": "CWE-841 Improper enforcement of behavioral workflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T14:16:55.922Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
            }
          ],
          "title": "Insufficient validation of payment status in pretix-oppwa",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-13222",
        "datePublished": "2026-06-25T14:07:03.521Z",
        "dateReserved": "2026-06-24T16:01:13.668Z",
        "dateUpdated": "2026-06-25T15:13:53.504Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }