Description
Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create.
Published: 2026-06-25
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability occurs when room creation permissions are evaluated incorrectly, allowing an attacker to create rooms of types that should be restricted. The effect is a privilege escalation, enabling unauthorized configuration of rooms that may expose sensitive data or grant elevated capabilities. The flaw stems from improper authorization enforcement, identified as CWE-639.

Affected Systems

The affected system is Pretix Venueless. No specific version range is listed in the advisory, so all deployments of Venueless may be vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity issue. Because no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, the likelihood of exploitation appears limited. The attack likely requires an authenticated user with access to the room‑creation interface; the attacker would need only to supply the appropriate parameters to create a prohibited room type.

Generated by OpenCVE AI on June 25, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch for Pretix Venueless as documented in the GitHub advisory.
  • Restrict room‑creation permissions so that only authorized roles can create premium or special room types.
  • Enable audit logging for room‑creation actions and regularly review logs for unauthorized attempts.

Generated by OpenCVE AI on June 25, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Pretix
Pretix venueless
Vendors & Products Pretix
Pretix venueless

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Title Incorrect Permission Check During Room Creation in Venueless

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create.
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Pretix Venueless
cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-06-25T18:15:25.953Z

Reserved: 2026-06-25T16:01:43.504Z

Link: CVE-2026-13350

cve-icon Vulnrichment

Updated: 2026-06-25T18:15:11.624Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:15:05Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key