Impact
An attacker can craft signed session parameters that are accepted by the payment integration plugins because the code verifies only the cryptographic signature but does not validate the content or its origin. The system also uses the same signing key and salt for a redirect feature that obfuscates Referer headers, allowing the attacker to generate arbitrary signed payloads. By combining these weaknesses, the attacker can inject malicious session data into the payment plugins and then exploit an administrative impersonation endpoint to switch from their own user context to any other user by guessing a valid ID. The result is possession of another user’s session and unconditional access to all backend data and administrative functions. This is a classic example of improper input validation (CWE‑20) and misuse of cryptographic signing (CWE‑323).
Affected Systems
The flaw affects pretix core and all of its integrated payment plugins listed by the CNA: pretix‑bitpay, pretix‑mollie, pretix‑oppwa, pretix‑payone, pretix‑saferpay, pretix‑secuconnect, and pretix‑sofort. No specific vulnerable versions are enumerated, but the reference release 2026‑5‑3 applies to all of these components.
Risk and Exploitability
The CVSS score of 7.7 classifies this as a high‑severity flaw, but the EPSS score is unavailable, and the vulnerability is not in the CISA KEV catalog, so the current exploitation probability is uncertain. Based on the description the attack is remote and can be performed by an attacker who can craft URLs; it requires no local access or elevated privileges on the host. The attacker only needs to be able to reach the application’s web interface and supply crafted links. If exploited, the attacker would gain full backend access, effectively hijacking the system and compromising all user data.
OpenCVE Enrichment