Description
When creating an export of all reusable media, the secrets of connected
gift cards were included in the export even if the user creating the
export does not have permission to view gift cards. This is inconsistent
with the UI and API where only the first letters of the gift card
secret are shown. Therefore, it allows circumventing a permission
boundary.
Published: 2026-06-09
Score: 3.6 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An export function that gathers all reusable media inadvertently includes full gift card secrets. This disclosure occurs even when the user initiating the export lacks permission to view gift card details, violating the intended access controls. The vulnerability permits unauthorized viewing of sensitive data, potentially enabling fraud or unauthorized redemption of gift cards.

Affected Systems

The issue affects the Pretix e‑commerce platform produced by pretix. No specific version is listed in the available data; however, the linked release notes reference a version 2026‑5‑1, implying earlier releases may be vulnerable.

Risk and Exploitability

The CVSS score of 3.6 indicates a moderate impact with limited exploitability. The EPSS score is not available, and the vulnerability is not recorded in the CISA KEV catalog. The attack likely occurs via the public export interface or API endpoint that the application provides for listing reusable media. An attacker who can initiate an export will, without needing to meet gift card viewing permissions, receive confidential secret values.

Generated by OpenCVE AI on June 9, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pretix to the latest released version (e.g., 2026‑5‑1 or newer) where the export logic has been fixed
  • If a timely upgrade is not possible, temporarily disable the reusable‑media export feature for non‑admin users
  • Restrict export usage to administrators only until the fix is applied

Generated by OpenCVE AI on June 9, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Pretix
Pretix pretix
Vendors & Products Pretix
Pretix pretix

Tue, 09 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.
Title Data exposed without proper permission
Weaknesses CWE-280
References
Metrics cvssV4_0

{'score': 3.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U'}

Subscriptions

Pretix Pretix
cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-06-09T13:49:42.672Z

Reserved: 2026-06-09T08:08:24.188Z

Link: CVE-2026-11764

cve-icon Vulnrichment

Updated: 2026-06-09T13:49:34.715Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T13:16:35.533

Modified: 2026-06-09T13:57:49.980

Link: CVE-2026-11764

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T14:00:06Z

Weaknesses