Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for pretix-payone by pretix

    CVE-2026-13602 (GCVE-0-2026-13602)

    Vulnerability from nvd – Published: 2026-07-01 13:45 – Updated: 2026-07-01 15:27
    VLAI
    Title
    Session takeover vulnerability
    Summary
    We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data: * The payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay contain a code path that is intended for the transport of session parameters from a tab with isolated cookies (e.g. in the pretix widget) to a new tab. For this purpose, a set of session parameters is cryptographically signed and then passed to the new tab as a URL parameter. The plugins perform no further validation of the session parameters, other than the cryptographic signature being valid. This is fixed with the releases issued today by strictly validating that no session parameters outside of the scope of the respective plugin may be set. * An unrelated feature in the core system is used to generate redirect links that obfuscate any Referer headers for outgoing links to prevent leakage of secrets in URLs. This redirect page also requires cryptographically signed parameters. Unfortunately, it uses the same key and salt for the signature as the previously mentioned feature in the payment integration plugins. A motivated attacker with access to at least one event in the backend can trick the system into cryptographically signing arbitrary content using specially crafted links. In combination with the previous issue, the attacker could use this to set and modify arbitrary parameters on their user session by injecting the signed parameters into the feature of the payment providers. This is fixed with the releases issued today by using different salts for the signature for each plugin and feature. * A third, unrelated feature in the core system is used for admin users to act on behalf of another user, mostly for debugging purposes. With being able to insert arbitrary parameters into a session, an attacker can abuse this feature to change their session from their actual user to any user in the system by guessing a valid user ID. This is fixed with the release today by requiring unguessable information to be contained in the session of the user to switch to.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    • CWE-323 - Reusing a nonce, key pair in encryption
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 4.14.0 , < 2026.3.5 (python)
    Affected: 2026.4.0 , < 2026.4.5 (python)
    Affected: 2026.5.0 , < 2026.5.3 (python)
    Create a notification for this product.
    pretix pretix-mollie Affected: 0 , < 2.5.7 (python)
    Create a notification for this product.
    pretix pretix-oppwa Affected: 0 , < 1.4.4 (python)
    Create a notification for this product.
    pretix pretix-bitpay Affected: 0 , < 1.5.3 (python)
    Create a notification for this product.
    pretix pretix-payone Affected: 0 , < 1.4.3 (python)
    Create a notification for this product.
    pretix pretix-secuconnect Affected: 0 , < 1.0.4 (python)
    Create a notification for this product.
    pretix pretix-sofort Affected: 0 , < 1.4.2 (python)
    Create a notification for this product.
    pretix pretix-saferpay Affected: 0 , < 1.6.3 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13602",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:26:54.400278Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:27:00.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.5",
                  "status": "affected",
                  "version": "4.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.4.5",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.5.3",
                  "status": "affected",
                  "version": "2026.5.0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-mollie",
              "product": "pretix-mollie",
              "repo": "https://github.com/pretix/pretix-mollie",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2.5.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-oppwa",
              "product": "pretix-oppwa",
              "repo": "https://github.com/pretix/pretix-oppwa",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-bitpay",
              "product": "pretix-bitpay",
              "repo": "https://github.com/pretix/pretix-bitpay",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.5.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-payone",
              "product": "pretix-payone",
              "repo": "https://github.com/pretix/pretix-payone",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-secuconnect",
              "product": "pretix-secuconnect",
              "repo": "https://github.com/pretix/pretix-secuconnect",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-sofort",
              "product": "pretix-sofort",
              "repo": "https://github.com/pretix/pretix-sofort",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-saferpay",
              "product": "pretix-saferpay",
              "repo": "https://github.com/pretix/pretix-saferpay",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.6.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eWe found a chain of combining multiple weaknesses in the product that could allow an attacker to become \u003cstrong\u003eany\u003c/strong\u003e user in the backend and access \u003cstrong\u003eany\u003c/strong\u003e data:\u003c/p\u003e\u003cp\u003e\n\u003c/p\u003e\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eThe payment integration plugins Stripe (included in the core system), \u003ccode\u003epretix-mollie\u003c/code\u003e, \u003ccode\u003epretix-oppwa\u003c/code\u003e, \u003ccode\u003epretix-bitpay\u003c/code\u003e, \u003ccode\u003epretix-payone\u003c/code\u003e, \u003ccode\u003epretix-secuconnect\u003c/code\u003e, \u003ccode\u003epretix-sofort\u003c/code\u003e, and \u003ccode\u003epretix-saferpay\u003c/code\u003e\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAn unrelated feature in the core system is used to generate redirect links that obfuscate any \u003ccode\u003eReferer\u003c/code\u003e\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to.\u003c/p\u003e\n\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:\n\n\n\n\n\n\n\n  *  \n\n\nThe payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\n\n\n\n\n  *  \n\n\nAn unrelated feature in the core system is used to generate redirect links that obfuscate any Referer\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\n\n\n\n\n  *  \n\n\nA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            },
            {
              "capecId": "CAPEC-61",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-61 Session Fixation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-323",
                  "description": "CWE-323 Reusing a nonce, key pair in encryption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T13:45:30.615Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260701-release-2026-5-3/"
            }
          ],
          "title": "Session takeover vulnerability",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "If you are unable to update quickly, we recommend to block the URL \u003ccode\u003e/control/users/impersonate/stop\u003c/code\u003e in your webserver configuration. In nginx, you can do this by inserting \u003ccode\u003elocation /control/users/impersonate/stop { deny all; }\u003c/code\u003e\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
                }
              ],
              "value": "If you are unable to update quickly, we recommend to block the URL /control/users/impersonate/stop in your webserver configuration. In nginx, you can do this by inserting location /control/users/impersonate/stop { deny all; }\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-13602",
        "datePublished": "2026-07-01T13:45:30.615Z",
        "dateReserved": "2026-06-29T08:26:50.725Z",
        "dateUpdated": "2026-07-01T15:27:00.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13602 (GCVE-0-2026-13602)

    Vulnerability from cvelistv5 – Published: 2026-07-01 13:45 – Updated: 2026-07-01 15:27
    VLAI
    Title
    Session takeover vulnerability
    Summary
    We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data: * The payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay contain a code path that is intended for the transport of session parameters from a tab with isolated cookies (e.g. in the pretix widget) to a new tab. For this purpose, a set of session parameters is cryptographically signed and then passed to the new tab as a URL parameter. The plugins perform no further validation of the session parameters, other than the cryptographic signature being valid. This is fixed with the releases issued today by strictly validating that no session parameters outside of the scope of the respective plugin may be set. * An unrelated feature in the core system is used to generate redirect links that obfuscate any Referer headers for outgoing links to prevent leakage of secrets in URLs. This redirect page also requires cryptographically signed parameters. Unfortunately, it uses the same key and salt for the signature as the previously mentioned feature in the payment integration plugins. A motivated attacker with access to at least one event in the backend can trick the system into cryptographically signing arbitrary content using specially crafted links. In combination with the previous issue, the attacker could use this to set and modify arbitrary parameters on their user session by injecting the signed parameters into the feature of the payment providers. This is fixed with the releases issued today by using different salts for the signature for each plugin and feature. * A third, unrelated feature in the core system is used for admin users to act on behalf of another user, mostly for debugging purposes. With being able to insert arbitrary parameters into a session, an attacker can abuse this feature to change their session from their actual user to any user in the system by guessing a valid user ID. This is fixed with the release today by requiring unguessable information to be contained in the session of the user to switch to.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    • CWE-323 - Reusing a nonce, key pair in encryption
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 4.14.0 , < 2026.3.5 (python)
    Affected: 2026.4.0 , < 2026.4.5 (python)
    Affected: 2026.5.0 , < 2026.5.3 (python)
    Create a notification for this product.
    pretix pretix-mollie Affected: 0 , < 2.5.7 (python)
    Create a notification for this product.
    pretix pretix-oppwa Affected: 0 , < 1.4.4 (python)
    Create a notification for this product.
    pretix pretix-bitpay Affected: 0 , < 1.5.3 (python)
    Create a notification for this product.
    pretix pretix-payone Affected: 0 , < 1.4.3 (python)
    Create a notification for this product.
    pretix pretix-secuconnect Affected: 0 , < 1.0.4 (python)
    Create a notification for this product.
    pretix pretix-sofort Affected: 0 , < 1.4.2 (python)
    Create a notification for this product.
    pretix pretix-saferpay Affected: 0 , < 1.6.3 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13602",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:26:54.400278Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:27:00.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.5",
                  "status": "affected",
                  "version": "4.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.4.5",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.5.3",
                  "status": "affected",
                  "version": "2026.5.0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-mollie",
              "product": "pretix-mollie",
              "repo": "https://github.com/pretix/pretix-mollie",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2.5.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-oppwa",
              "product": "pretix-oppwa",
              "repo": "https://github.com/pretix/pretix-oppwa",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-bitpay",
              "product": "pretix-bitpay",
              "repo": "https://github.com/pretix/pretix-bitpay",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.5.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-payone",
              "product": "pretix-payone",
              "repo": "https://github.com/pretix/pretix-payone",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-secuconnect",
              "product": "pretix-secuconnect",
              "repo": "https://github.com/pretix/pretix-secuconnect",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-sofort",
              "product": "pretix-sofort",
              "repo": "https://github.com/pretix/pretix-sofort",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-saferpay",
              "product": "pretix-saferpay",
              "repo": "https://github.com/pretix/pretix-saferpay",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.6.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eWe found a chain of combining multiple weaknesses in the product that could allow an attacker to become \u003cstrong\u003eany\u003c/strong\u003e user in the backend and access \u003cstrong\u003eany\u003c/strong\u003e data:\u003c/p\u003e\u003cp\u003e\n\u003c/p\u003e\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eThe payment integration plugins Stripe (included in the core system), \u003ccode\u003epretix-mollie\u003c/code\u003e, \u003ccode\u003epretix-oppwa\u003c/code\u003e, \u003ccode\u003epretix-bitpay\u003c/code\u003e, \u003ccode\u003epretix-payone\u003c/code\u003e, \u003ccode\u003epretix-secuconnect\u003c/code\u003e, \u003ccode\u003epretix-sofort\u003c/code\u003e, and \u003ccode\u003epretix-saferpay\u003c/code\u003e\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAn unrelated feature in the core system is used to generate redirect links that obfuscate any \u003ccode\u003eReferer\u003c/code\u003e\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to.\u003c/p\u003e\n\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:\n\n\n\n\n\n\n\n  *  \n\n\nThe payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\n\n\n\n\n  *  \n\n\nAn unrelated feature in the core system is used to generate redirect links that obfuscate any Referer\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\n\n\n\n\n  *  \n\n\nA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            },
            {
              "capecId": "CAPEC-61",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-61 Session Fixation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-323",
                  "description": "CWE-323 Reusing a nonce, key pair in encryption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T13:45:30.615Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260701-release-2026-5-3/"
            }
          ],
          "title": "Session takeover vulnerability",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "If you are unable to update quickly, we recommend to block the URL \u003ccode\u003e/control/users/impersonate/stop\u003c/code\u003e in your webserver configuration. In nginx, you can do this by inserting \u003ccode\u003elocation /control/users/impersonate/stop { deny all; }\u003c/code\u003e\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
                }
              ],
              "value": "If you are unable to update quickly, we recommend to block the URL /control/users/impersonate/stop in your webserver configuration. In nginx, you can do this by inserting location /control/users/impersonate/stop { deny all; }\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-13602",
        "datePublished": "2026-07-01T13:45:30.615Z",
        "dateReserved": "2026-06-29T08:26:50.725Z",
        "dateUpdated": "2026-07-01T15:27:00.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }