Description
Our payment integration with Mollie did not properly validate payment
status responses. An attacker could use a successful payment status
response from one payment and supply it to the system for a different
payment, gaining access to multiple valid tickets with only one payment.
Published: 2026-06-25
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The payment integration with Mollie in the pretix-mollie plugin does not validate payment status responses correctly, allowing an attacker to reuse a successful response from one payment for a different transaction, causing the system to issue tickets that have not been paid for. This bypasses the payment process and enables the attacker to illegitimately acquire valid tickets, compromising the integrity of ticket access and potentially the financial model of an event.

Affected Systems

The vulnerability affects the pretix-mollie plugin provided by pretix. No specific version details are supplied, so any deployment using this plugin that has not applied a patch to properly validate Mollie payment status responses may be vulnerable.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. EPSS is not available and the vulnerability is not listed in CISA KEV. The likely attack path involves sending a forged payment status update to a pretix instance that trusts the Mollie response, a capital requirement that can be met with remote network access. Upon exploitation, an attacker can obtain multiple tickets with a single payment, creating financial loss and undermining trust in the event system. While no public exploit is documented, the impact of payment bypass remains significant, making the risk moderate to high for unattended systems.

Generated by OpenCVE AI on June 25, 2026 at 15:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest release of pretix that includes the payment status validation fix (for example, 2026.5.2 or later).
  • Configure the system to enforce strict validation of Mollie payment status responses and reject any status updates that do not match the internal transaction record.
  • Regularly audit ticket issuance logs to detect unusual patterns such as a single payment generating multiple tickets.

Generated by OpenCVE AI on June 25, 2026 at 15:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Pretix
Pretix pretix-mollie
Vendors & Products Pretix
Pretix pretix-mollie

Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Our payment integration with Mollie did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.
Title Insufficient validation of payment status in pretix-mollie
Weaknesses CWE-841
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}


Subscriptions

Pretix Pretix-mollie
cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-06-25T15:13:30.071Z

Reserved: 2026-06-24T15:59:32.629Z

Link: CVE-2026-57536

cve-icon Vulnrichment

Updated: 2026-06-25T15:13:25.007Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:37:35Z

Weaknesses
  • CWE-841

    Improper Enforcement of Behavioral Workflow