Description
We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:







*


The payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay
contain a code path that is intended for the transport of session
parameters from a tab with isolated cookies (e.g. in the pretix widget)
to a new tab. For this purpose, a set of session parameters is
cryptographically signed and then passed to the new tab as a URL
parameter. The plugins perform no further validation of the session
parameters, other than the cryptographic signature being valid. This is
fixed with the releases issued today by strictly validating that no
session parameters outside of the scope of the respective plugin may be
set.




*


An unrelated feature in the core system is used to generate redirect links that obfuscate any Referer
headers for outgoing links to prevent leakage of secrets in URLs. This
redirect page also requires cryptographically signed parameters.
Unfortunately, it uses the same key and salt for the signature as the
previously mentioned feature in the payment integration plugins. A
motivated attacker with access to at least one event in the backend can
trick the system into cryptographically signing arbitrary content using
specially crafted links. In combination with the previous issue, the
attacker could use this to set and modify arbitrary parameters on their
user session by injecting the signed parameters into the feature of the
payment providers. This is fixed with the releases issued today by using
different salts for the signature for each plugin and feature.




*


A third, unrelated feature in the core system is used for admin users
to act on behalf of another user, mostly for debugging purposes. With
being able to insert arbitrary parameters into a session, an attacker
can abuse this feature to change their session from their actual user to
any user in the system by guessing a valid user ID. This is fixed with
the release today by requiring unguessable information to be contained
in the session of the user to switch to.
Published: 2026-07-01
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can craft signed session parameters that are accepted by the payment integration plugins because the code verifies only the cryptographic signature but does not validate the content or its origin. The system also uses the same signing key and salt for a redirect feature that obfuscates Referer headers, allowing the attacker to generate arbitrary signed payloads. By combining these weaknesses, the attacker can inject malicious session data into the payment plugins and then exploit an administrative impersonation endpoint to switch from their own user context to any other user by guessing a valid ID. The result is possession of another user’s session and unconditional access to all backend data and administrative functions. This is a classic example of improper input validation (CWE‑20) and misuse of cryptographic signing (CWE‑323).

Affected Systems

The flaw affects pretix core and all of its integrated payment plugins listed by the CNA: pretix‑bitpay, pretix‑mollie, pretix‑oppwa, pretix‑payone, pretix‑saferpay, pretix‑secuconnect, and pretix‑sofort. No specific vulnerable versions are enumerated, but the reference release 2026‑5‑3 applies to all of these components.

Risk and Exploitability

The CVSS score of 7.7 classifies this as a high‑severity flaw, but the EPSS score is unavailable, and the vulnerability is not in the CISA KEV catalog, so the current exploitation probability is uncertain. Based on the description the attack is remote and can be performed by an attacker who can craft URLs; it requires no local access or elevated privileges on the host. The attacker only needs to be able to reach the application’s web interface and supply crafted links. If exploited, the attacker would gain full backend access, effectively hijacking the system and compromising all user data.

Generated by OpenCVE AI on July 2, 2026 at 00:59 UTC.

Remediation

Vendor Workaround

If you are unable to update quickly, we recommend to block the URL /control/users/impersonate/stop in your webserver configuration. In nginx, you can do this by inserting location /control/users/impersonate/stop { deny all; } into the correct block. However, this only remedies the most critical impact the other vulnerabilities have, and we still recommend you plan an update as soon as possible.


OpenCVE Recommended Actions

  • Apply the 2026‑5‑3 release of pretix and all related payment integration plugins, which fixes the signature validation and salting issues.
  • If an immediate patch is not possible, configure the web server to deny access to the /control/users/impersonate/stop endpoint, cutting off the temporary admin‑impersonation ability.
  • Review any custom or third‑party code that uses cryptographic signatures in redirects or session handling to ensure separate salts, proper input validation, and that impersonation requires an unguessable user identifier.

Generated by OpenCVE AI on July 2, 2026 at 00:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Description We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data: * The payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay contain a code path that is intended for the transport of session parameters from a tab with isolated cookies (e.g. in the pretix widget) to a new tab. For this purpose, a set of session parameters is cryptographically signed and then passed to the new tab as a URL parameter. The plugins perform no further validation of the session parameters, other than the cryptographic signature being valid. This is fixed with the releases issued today by strictly validating that no session parameters outside of the scope of the respective plugin may be set. * An unrelated feature in the core system is used to generate redirect links that obfuscate any Referer headers for outgoing links to prevent leakage of secrets in URLs. This redirect page also requires cryptographically signed parameters. Unfortunately, it uses the same key and salt for the signature as the previously mentioned feature in the payment integration plugins. A motivated attacker with access to at least one event in the backend can trick the system into cryptographically signing arbitrary content using specially crafted links. In combination with the previous issue, the attacker could use this to set and modify arbitrary parameters on their user session by injecting the signed parameters into the feature of the payment providers. This is fixed with the releases issued today by using different salts for the signature for each plugin and feature. * A third, unrelated feature in the core system is used for admin users to act on behalf of another user, mostly for debugging purposes. With being able to insert arbitrary parameters into a session, an attacker can abuse this feature to change their session from their actual user to any user in the system by guessing a valid user ID. This is fixed with the release today by requiring unguessable information to be contained in the session of the user to switch to.
Title Session takeover vulnerability
Weaknesses CWE-20
CWE-323
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-07-01T15:27:00.431Z

Reserved: 2026-06-29T08:26:50.725Z

Link: CVE-2026-13602

cve-icon Vulnrichment

Updated: 2026-07-01T15:26:57.313Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T01:00:12Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-323

    Reusing a Nonce, Key Pair in Encryption