GHSA-WR8Q-C73G-M7GP
Vulnerability from github – Published: 2026-04-08 15:31 – Updated: 2026-04-08 19:23A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those they should not have access to.
These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:
{ "id": 123, "successful": true, "error_reason": null, "error_explanation": null, "position": 321, "datetime": "2020-08-23T09:00:00+02:00", "list": 456, "created": "2020-08-23T09:00:00+02:00", "auto_checked_in": false, "gate": null, "device": 1, "device_id": 1, "type": "entry" }
An unauthorized user usually has no way to match these IDs (position) back to individual people.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pretix"
},
"ranges": [
{
"events": [
{
"introduced": "2026.3.0"
},
{
"fixed": "2026.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "pretix"
},
"ranges": [
{
"events": [
{
"introduced": "2026.2.0"
},
{
"fixed": "2026.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "pretix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-5600"
],
"database_specific": {
"cwe_ids": [
"CWE-653"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T19:23:39Z",
"nvd_published_at": "2026-04-08T13:16:43Z",
"severity": "MODERATE"
},
"details": "A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those they should not have access to.\n\nThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\n\n{\n \"id\": 123,\n \"successful\": true,\n \"error_reason\": null,\n \"error_explanation\": null,\n \"position\": 321,\n \"datetime\": \"2020-08-23T09:00:00+02:00\",\n \"list\": 456,\n \"created\": \"2020-08-23T09:00:00+02:00\",\n \"auto_checked_in\": false,\n \"gate\": null,\n \"device\": 1,\n \"device_id\": 1,\n \"type\": \"entry\"\n}\n\nAn unauthorized user usually has no way to match these IDs (position) back to individual people.",
"id": "GHSA-wr8q-c73g-m7gp",
"modified": "2026-04-08T19:23:39Z",
"published": "2026-04-08T15:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5600"
},
{
"type": "PACKAGE",
"url": "https://github.com/pretix/pretix"
},
{
"type": "WEB",
"url": "https://pretix.eu/about/en/blog/20260408-release-2026-3-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "pretix: API leaks check-in data between events of the same organizer"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.