Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.5
Pretix 2025 API endpoint returns sensitive data
CVE-2026-5600
GHSA-wr8q-c73g-m7gp
Summary
A new API endpoint in Pretix 2025 exposes sensitive data about all events managed by the same organizer, allowing unauthorized users to access information they shouldn't have. This includes check-in events for other events they shouldn't be able to see. To fix this, update to the latest version of Pretix 2025.
What to do
- Update pretix to version 2026.3.1.
- Update pretix to version 2026.2.1.
- Update pretix to version 2026.1.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | pretix | > 2026.3.0 , <= 2026.3.1 | 2026.3.1 |
| – | pretix | > 2026.2.0 , <= 2026.2.1 | 2026.2.1 |
| – | pretix | <= 2026.1.2 | 2026.1.2 |
Original title
pretix: API leaks check-in data between events of the same organizer
Original description
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those they should not have access to.
These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:
{
"id": 123,
"successful": true,
"error_reason": null,
"error_explanation": null,
"position": 321,
"datetime": "2020-08-23T09:00:00+02:00",
"list": 456,
"created": "2020-08-23T09:00:00+02:00",
"auto_checked_in": false,
"gate": null,
"device": 1,
"device_id": 1,
"type": "entry"
}
An unauthorized user usually has no way to match these IDs (position) back to individual people.
These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:
{
"id": 123,
"successful": true,
"error_reason": null,
"error_explanation": null,
"position": 321,
"datetime": "2020-08-23T09:00:00+02:00",
"list": 456,
"created": "2020-08-23T09:00:00+02:00",
"auto_checked_in": false,
"gate": null,
"device": 1,
"device_id": 1,
"type": "entry"
}
An unauthorized user usually has no way to match these IDs (position) back to individual people.
nvd CVSS4.0
5.5
Vulnerability type
CWE-653
Published: 8 Apr 2026 · Updated: 9 Apr 2026 · First seen: 8 Apr 2026