Description
A new API endpoint introduced in pretix 2025 that is supposed to
return all check-in events of a specific event in fact returns all
check-in events belonging to the respective organizer. This allows an
API consumer to access information for all other events under the same
organizer, even those they should not have access to.


These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:


{
"id": 123,
"successful": true,
"error_reason": null,
"error_explanation": null,
"position": 321,
"datetime": "2020-08-23T09:00:00+02:00",
"list": 456,
"created": "2020-08-23T09:00:00+02:00",
"auto_checked_in": false,
"gate": null,
"device": 1,
"device_id": 1,
"type": "entry"
}



An unauthorized user usually has no way to match these IDs (position) back to individual people.
Published: 2026-04-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of event check‑in data
Action: Patch
AI Analysis

Impact

A newly introduced API endpoint in pretix 2025 was intended to return check‑in events for a single event but, due to a logic error, returns all check‑in events belonging to the same organizer. The response contains detailed records of each ticket scan, including timestamps, gate and device identifiers, success indicators, and scan list information. The exposed data leaks attendance patterns and potentially sensitive event information to anyone who can invoke the endpoint. This constitutes a lateral information disclosure weakness identified as CWE‑653.

Affected Systems

The vulnerability affects the pretix event management platform. All instances that have incorporated the 2025 API implementation are susceptible, including any version running from 2025 onward until the issue is patched. The product identifier is pretix:pretix and the specific affected versions are those that have not yet applied the 2026.3.x update released to address the endpoint bug.

Risk and Exploitability

The CVSS score of 5.5 signals a moderate risk primarily rooted in privacy concern rather than direct system compromise. EPSS data is unavailable and the vulnerability is not in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is through an unauthorized or improperly scoped API call; it is inferred that an attacker would need an authenticated API client or a compromised token to access the endpoint, yet even that may not be required if the endpoint does not enforce proper ownership checks. The exposure can lead to regulatory, reputational, or legal repercussions for event organizers, especially in jurisdictions with strict data protection laws.

Generated by OpenCVE AI on April 8, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pretix to version 2026.3.x or later to apply the vendor‑provided fix
  • Restrict the API endpoint so that only authenticated users with explicit ownership of the requested event or organizer can retrieve data
  • Revoke or rotate any long‑lived API tokens that existed prior to the patch
  • Monitor API usage for anomalous patterns and enforce rate limiting to reduce potential abuse

Generated by OpenCVE AI on April 8, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wr8q-c73g-m7gp pretix: API leaks check-in data between events of the same organizer
History

Fri, 24 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title API Endpoint Exposes All Check‑In Events to Unauthorized Users

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Pretix
Pretix pretix
Vendors & Products Pretix
Pretix pretix

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those they should not have access to. These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example: { "id": 123, "successful": true, "error_reason": null, "error_explanation": null, "position": 321, "datetime": "2020-08-23T09:00:00+02:00", "list": 456, "created": "2020-08-23T09:00:00+02:00", "auto_checked_in": false, "gate": null, "device": 1, "device_id": 1, "type": "entry" } An unauthorized user usually has no way to match these IDs (position) back to individual people.
Weaknesses CWE-653
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Pretix Pretix
cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-04-08T16:03:07.473Z

Reserved: 2026-04-05T12:25:54.058Z

Link: CVE-2026-5600

cve-icon Vulnrichment

Updated: 2026-04-08T16:03:04.613Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T13:16:43.543

Modified: 2026-04-24T17:46:14.777

Link: CVE-2026-5600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:39Z

Weaknesses