Description
A user with API access and "manage users" permission in any venueless
world is able to trigger deletion of user accounts in other worlds.
Published: 2026-04-05
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of user accounts across instances
Action: Immediate Patch
AI Analysis

Impact

A user who has API access and the "manage users" permission in any Venueless world can delete user accounts that belong to other worlds. This cross‑instance authorization bypass removes legitimate user data and can disrupt service availability for unaffected users. The weakness is a zero‑click, cross‑instance privilege escalation, identified as CWE‑653.

Affected Systems

All releases of the Venueless product from pretix are potentially affected, as no specific version ranges are provided. Existing installations should assume this vulnerability is present until a patch is released.

Risk and Exploitability

The CVSS score of 7.3 indicates moderate to high severity. Exploit probability data is not published, and the vulnerability is not currently listed in the known exploited vulnerabilities catalog. Because the attack requires only API access with the "manage users" permission, the risk of exploitation is significant. The likely attack vector is remote via the public API, and an attacker can directly delete accounts belonging to other instances.

Generated by OpenCVE AI on April 5, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Venueless update once available from pretix.
  • If a patch is not yet available, limit the "manage users" permission to trusted administrators only.
  • Monitor system logs for unauthorized deletion attempts and verify account integrity regularly.
  • Contact pretix Venueless support for guidance on additional mitigations.

Generated by OpenCVE AI on April 5, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Pretix
Pretix venueless
Vendors & Products Pretix
Pretix venueless

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds.
Title API allows deletion of users of other instance
Weaknesses CWE-653
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H'}

Subscriptions

Pretix Venueless
cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-04-06T14:33:34.105Z

Reserved: 2026-04-05T12:25:52.821Z

Link: CVE-2026-5599

cve-icon Vulnrichment

Updated: 2026-04-06T14:33:16.090Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-05T13:17:15.123

Modified: 2026-04-07T13:20:35.010

Link: CVE-2026-5599

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:56:46Z

Weaknesses