Description
Our payment integration with Oppwa-based payment methods did not
properly validate payment status responses. An attacker could use a
successful payment status response from one payment and supply it to the
system for a different payment, gaining access to multiple valid
tickets with only one payment.
Published: 2026-06-25
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from insufficient validation of payment status responses in the Oppwa integration of pretix. An attacker can take a successful payment status from one ticket transaction and feed it to the system for a different payment, causing the platform to believe the new transaction was successful and granting access to multiple valid tickets. This flaw has a CVSS score of 6.3 and is classified as CWE‑841, indicating poor validation of authentication credentials or responses.

Affected Systems

The affected product is pretix’s Oppwa integration plugin. No specific version range is listed in the advisory, so any installation that has not been updated to the 2026‑5‑2 release may be vulnerable.

Risk and Exploitability

The risk is moderate. The CVSS score of 6.3 reflects that the flaw can be exploited remotely via the web interface or API, though the EPSS score is currently unavailable and the vulnerability is not listed in KEV. An attacker who can obtain or guess a valid payment status identifier could reuse it for another transaction, enabling unauthorized ticket issuance. The exploit requires no special privileges beyond the ability to submit a payment status update, making it potentially accessible to attackers who manipulate the payment callback or perform social engineering.

Generated by OpenCVE AI on June 25, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest pretix‑oppwa 2026‑5‑2 or newer update that implements proper payment status validation.
  • Reconfigure payment callback handling to ensure that the payment identifier in the response matches the original transaction ID before authorizing ticket access.
  • Review and audit existing tickets for evidence of duplicate or unintended issuances that may have arisen from the flaw.

Generated by OpenCVE AI on June 25, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Our payment integration with Oppwa-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.
Title Insufficient validation of payment status in pretix-oppwa
Weaknesses CWE-841
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-06-25T15:13:53.504Z

Reserved: 2026-06-24T16:01:13.668Z

Link: CVE-2026-13222

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T15:30:16Z

Weaknesses
  • CWE-841

    Improper Enforcement of Behavioral Workflow