Description
A user with permission "update world" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.

The exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages.
Published: 2026-03-27
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to chat messages resulting in a confidentiality breach
Action: Immediate Patch
AI Analysis

Impact

A flaw in the reporting function of Venueless allows a user who holds the "update world" permission to read private conversations from other worlds on the same server. The bug permits extraction of both direct message and channel chat histories, enabling an insider to obtain sensitive information that should be confined to the original participants. The vulnerability is rooted in insufficient input validation when handling chat channel identifiers.

Affected Systems

All installations of Pretix Venueless where the update world permission is granted to a user. No specific version is listed, so any deployment that has not applied the published fix is potentially affected.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity. Exploitation requires a user to obtain the internal UUID of the target chat channel, which is unlikely to be exposed to external actors; therefore the risk is mainly from privileged users or compromised accounts. The EPSS score is not available and the vulnerability is not currently in the CISA KEV list, reducing the likelihood of widespread deployment. Nonetheless, the presence of a privilege escalation vector and the ability to read private conversation data makes it a significant threat for organizations relying on Venueless for secure event communication.

Generated by OpenCVE AI on March 27, 2026 at 15:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Venueless patch that addresses the reporting bug
  • Review user permissions and remove the update world privilege from individuals who do not require it
  • If a patch is not yet available, limit access to the reporting feature or restrict the update world permission until a fix is deployed

Generated by OpenCVE AI on March 27, 2026 at 15:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Pretix
Pretix venueless
Vendors & Products Pretix
Pretix venueless

Sat, 28 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
Description A user with permission "update world" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature. The exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages.
Title Unauthorized access to chat contents
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Pretix Venueless
cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-03-27T19:39:20.014Z

Reserved: 2026-03-27T12:15:15.436Z

Link: CVE-2026-4982

cve-icon Vulnrichment

Updated: 2026-03-27T19:30:32.864Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T13:16:25.297

Modified: 2026-03-30T13:26:29.793

Link: CVE-2026-4982

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:05Z

Weaknesses