CVE-2026-5600

216.73.216.6

· Published 08/04/2026 13:16 · Modified 08/04/2026 21:26

Labels: CVE-2026-5600 2026-04-08 655498c3-6ec5-4f0b-aea6-853b334d05a6 CVE-2026-5600 CWE-653

Essential information

Published: 08/04/2026 13:16
Modified: 08/04/2026 21:26
Author: —
Creator: —
CVSS: 5.5 MEDIUM (v3) 5.5 MEDIUM (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those they should not have access to. These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example: { "id": 123, "successful": true, "error_reason": null, "error_explanation": null, "position": 321, "datetime": "2020-08-23T09:00:00+02:00", "list": 456, "created": "2020-08-23T09:00:00+02:00", "auto_checked_in": false, "gate": null, "device": 1, "device_id": 1, "type": "entry" } An unauthorized user usually has no way to match these IDs (position) back to individual people.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: 655498c3-6ec5-4f0b-aea6-853b334d05a6
NVD: View on NVD

Affected products (CPE)

Product	CPE
pretix / pretix	`cpe:2.3:a:pretix:pretix:2025:::::::*`