Description
When creating an export through the pretix API, API clients are
returned an UUID value for their export job (a long, random string like
35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client
can then request the actual file for download. The same kind of UUID is
used in other places in pretix when temporary files are generated for
internal use or download.




One remaining API endpoint, however, wrongfully did not verify if the
UUID used for download actually belongs to a file that is supposed to
be downloadable and belongs to the correct user. In reality, this is
hard to exploit because an attacker would need to have access to a valid
UUID for the file they desire which is unlikely to happen without a
separate security problem giving them access to logs etc.
Published: 2026-05-27
Score: 3.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Pretix export API issues a unique identifier for each export job, and that identifier is subsequently used to request the file for download. One API endpoint fails to confirm that the UUID supplied for a download actually belongs to a file that the requesting user is permitted to retrieve. This is an instance of a direct object reference flaw (CWE‑639) that could allow a malicious actor to download files they should not have access to if they possess a valid UUID. However, because obtaining a valid UUID would normally require access to logs or prior exploitation, the actual likelihood of successful exploitation is low, as reflected in the CVSS score of 3.8.

Affected Systems

The vulnerability affects the Pretix event‑ticketing system (vendor pretix). Versions prior to the 2026‑4‑2 release are potentially vulnerable, as that release applies the missing verification logic for UUIDs. The specific affected versions are not listed explicitly, but the problem is known to exist in releases before the 2026‑4‑2 update.

Risk and Exploitability

With a CVSS score of 3.8, the severity is low. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating it has not yet been exploited in the wild. The attack vector requires the attacker to obtain a valid UUID that is not owned by the target user, which is difficult without an additional security issue that exposes such identifiers. Consequently, the overall risk to an organization running an older Pretix installation is moderate, with low probability of exploitation but potential for minor unauthorized file disclosure.

Generated by OpenCVE AI on May 27, 2026 at 19:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Official Pretix Patch—upgrade to version 2026‑4‑2 or later, which restores proper UUID ownership checks for the export download endpoint.
  • During the upgrade window, temporarily restrict the export download API to administrator‑only access or disable the endpoint for external users to prevent accidental data exposure.
  • Implement logging and alerting on the export endpoint to detect and investigate any unexpected download attempts using unverified UUIDs, helping to identify potential attempts or misconfigurations before they lead to data leakage.

Generated by OpenCVE AI on May 27, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Pretix
Pretix pretix
Vendors & Products Pretix
Pretix pretix

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places in pretix when temporary files are generated for internal use or download. One remaining API endpoint, however, wrongfully did not verify if the UUID used for download actually belongs to a file that is supposed to be downloadable and belongs to the correct user. In reality, this is hard to exploit because an attacker would need to have access to a valid UUID for the file they desire which is unlikely to happen without a separate security problem giving them access to logs etc.
Title Insecure direct object reference
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 3.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U'}

Subscriptions

Pretix Pretix
cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-05-28T15:39:28.686Z

Reserved: 2026-05-27T14:18:33.470Z

Link: CVE-2026-9712

cve-icon Vulnrichment

Updated: 2026-05-28T15:39:25.263Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T15:16:36.250

Modified: 2026-06-17T11:05:35.497

Link: CVE-2026-9712

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:45:05Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key