Impact
The pretix-oppwa plugin builds a request URL by concatenating a resourcePath supplied by the payment provider directly onto a base API URL, without validation or normalization. This input validation weakness (CWE-20) enables an attacker to craft a redirect URL that causes pretix to perform a server‑side request to an arbitrary host. Because each request includes the payment provider’s access token, the leak exposes this credential, granting the attacker read access to sensitive payment data. This flaw constitutes an SSRF vulnerability (CWE-918) that can lead to unauthorized disclosure of confidential financial information.
Affected Systems
Any installation of the pretix-oppwa plugin for the pretix e‑commerce platform that has not been updated to the 2026‑5‑3 release or later is affected. The exact affected versions are not listed, but all releases before the latest contain the vulnerable concatenation logic. Administrators using pretix with the plugin should verify the plugin version and update accordingly.
Risk and Exploitability
The vulnerability scores a CVSS of 9, indicating critical severity. The EPSS score is not available, and the flaw is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector involves the payment provider’s redirect URI that an attacker can influence. Successful exploitation would expose the Oppwa API token and any payment data accessible through it.
OpenCVE Enrichment