Impact
This vulnerability arises from the payment integration with Computop in pretix. The system fails to verify that the payment status response matches the original payment request. As a result an attacker can reuse a confirmed payment status from one transaction and present it for a different transaction, thereby authenticating multiple valid tickets with a single payment. The flaw is classified as CWE‑841 and leads to unauthorized access to purchased event tickets.
Affected Systems
The affected component is the pretix‑computop integration module in the pretix ticketing platform. Versions of pretix released before 2026.5.2 did not implement proper status validation. A downstream upgrade to the 2026.5.2 release or later resolves the issue.
Risk and Exploitability
The CVSS score of 6.3 indicates medium severity. The EPSS score is unavailable, so the current exploitation likelihood is unclear, and the flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack can be launched remotely by sending a forged payment status response to the pretix server. Once exploited, an attacker can redeem multiple tickets, effectively bypassing payment requirements.
OpenCVE Enrichment