Description
Our payment integration with Computop-based payment methods did not
properly validate payment status responses. An attacker could use a
successful payment status response from one payment and supply it to the
system for a different payment, gaining access to multiple valid
tickets with only one payment.
Published: 2026-06-25
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from the payment integration with Computop in pretix. The system fails to verify that the payment status response matches the original payment request. As a result an attacker can reuse a confirmed payment status from one transaction and present it for a different transaction, thereby authenticating multiple valid tickets with a single payment. The flaw is classified as CWE‑841 and leads to unauthorized access to purchased event tickets.

Affected Systems

The affected component is the pretix‑computop integration module in the pretix ticketing platform. Versions of pretix released before 2026.5.2 did not implement proper status validation. A downstream upgrade to the 2026.5.2 release or later resolves the issue.

Risk and Exploitability

The CVSS score of 6.3 indicates medium severity. The EPSS score is unavailable, so the current exploitation likelihood is unclear, and the flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack can be launched remotely by sending a forged payment status response to the pretix server. Once exploited, an attacker can redeem multiple tickets, effectively bypassing payment requirements.

Generated by OpenCVE AI on June 25, 2026 at 15:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update pretix to version 2026.5.2 or later, which includes proper validation of payment status responses.
  • Temporarily disable or restrict Computop-based payment methods in pretix until the upgrade is applied, preventing the exploitation of the vulnerable logic.
  • Perform manual transaction verification and review audit logs for anomalous ticket redemptions to confirm that the vulnerability is fully mitigated.

Generated by OpenCVE AI on June 25, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Pretix
Pretix pretix-computop
Vendors & Products Pretix
Pretix pretix-computop

Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Our payment integration with Computop-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.
Title Insufficient validation of payment status in pretix-computop
Weaknesses CWE-841
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}


Subscriptions

Pretix Pretix-computop
cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-06-25T15:14:14.673Z

Reserved: 2026-06-24T16:01:54.416Z

Link: CVE-2026-13223

cve-icon Vulnrichment

Updated: 2026-06-25T15:14:12.103Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:37:38Z

Weaknesses
  • CWE-841

    Improper Enforcement of Behavioral Workflow