CVE-2026-5600 (GCVE-0-2026-5600)

Vulnerability from cvelistv5 – Published: 2026-04-08 12:24 – Updated: 2026-04-08 16:03
VLAI?
Summary
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those they should not have access to. These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example: { "id": 123, "successful": true, "error_reason": null, "error_explanation": null, "position": 321, "datetime": "2020-08-23T09:00:00+02:00", "list": 456, "created": "2020-08-23T09:00:00+02:00", "auto_checked_in": false, "gate": null, "device": 1, "device_id": 1, "type": "entry" } An unauthorized user usually has no way to match these IDs (position) back to individual people.
Severity ?
5.5 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H
CWE
  • CWE-653 - Improper isolation or compartmentalization
Assigner
References
Impacted products
Vendor Product Version
pretix pretix Affected: 2025.10.0 , < 2026.1.2 (python)
Affected: 2026.2.0 , < 2026.2.1 (python)
Affected: 2026.3.0 , < 2026.3.1 (python)
Create a notification for this product.
Credits
Pratik Karan
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-5600",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-08T16:02:54.453740Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-08T16:03:07.473Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.python.org",
          "defaultStatus": "unaffected",
          "packageName": "pretix",
          "product": "pretix",
          "vendor": "pretix",
          "versions": [
            {
              "lessThan": "2026.1.2",
              "status": "affected",
              "version": "2025.10.0",
              "versionType": "python"
            },
            {
              "lessThan": "2026.2.1",
              "status": "affected",
              "version": "2026.2.0",
              "versionType": "python"
            },
            {
              "lessThan": "2026.3.1",
              "status": "affected",
              "version": "2026.3.0",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Pratik Karan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\u003c/p\u003e\n\u003cp\u003eThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e{\n  \"id\": 123,\n  \"successful\": true,\n  \"error_reason\": null,\n  \"error_explanation\": null,\n  \"position\": 321,\n  \"datetime\": \"2020-08-23T09:00:00+02:00\",\n  \"list\": 456,\n  \"created\": \"2020-08-23T09:00:00+02:00\",\n  \"auto_checked_in\": false,\n  \"gate\": null,\n  \"device\": 1,\n  \"device_id\": 1,\n  \"type\": \"entry\"\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAn unauthorized user usually has no way to match these IDs (\u003ccode\u003eposition\u003c/code\u003e) back to individual people.\u003c/p\u003e"
            }
          ],
          "value": "A new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\n\n\nThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\n\n\n{\n  \"id\": 123,\n  \"successful\": true,\n  \"error_reason\": null,\n  \"error_explanation\": null,\n  \"position\": 321,\n  \"datetime\": \"2020-08-23T09:00:00+02:00\",\n  \"list\": 456,\n  \"created\": \"2020-08-23T09:00:00+02:00\",\n  \"auto_checked_in\": false,\n  \"gate\": null,\n  \"device\": 1,\n  \"device_id\": 1,\n  \"type\": \"entry\"\n}\n\n\n\nAn unauthorized user usually has no way to match these IDs (position) back to individual people."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "auth"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-653",
              "description": "CWE-653 Improper isolation or compartmentalization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T12:24:51.602Z",
        "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "shortName": "rami.io"
      },
      "references": [
        {
          "url": "https://pretix.eu/about/en/blog/20260408-release-2026-3-1/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
    "assignerShortName": "rami.io",
    "cveId": "CVE-2026-5600",
    "datePublished": "2026-04-08T12:24:51.602Z",
    "dateReserved": "2026-04-05T12:25:54.058Z",
    "dateUpdated": "2026-04-08T16:03:07.473Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-5600",
      "date": "2026-04-17",
      "epss": "0.00016",
      "percentile": "0.03694"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-5600\",\"sourceIdentifier\":\"655498c3-6ec5-4f0b-aea6-853b334d05a6\",\"published\":\"2026-04-08T13:16:43.543\",\"lastModified\":\"2026-04-08T21:26:13.410\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A new API endpoint introduced in pretix 2025 that is supposed to \\nreturn all check-in events of a specific event in fact returns all \\ncheck-in events belonging to the respective organizer. This allows an \\nAPI consumer to access information for all other events under the same \\norganizer, even those they should not have access to.\\n\\n\\nThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\\n\\n\\n{\\n  \\\"id\\\": 123,\\n  \\\"successful\\\": true,\\n  \\\"error_reason\\\": null,\\n  \\\"error_explanation\\\": null,\\n  \\\"position\\\": 321,\\n  \\\"datetime\\\": \\\"2020-08-23T09:00:00+02:00\\\",\\n  \\\"list\\\": 456,\\n  \\\"created\\\": \\\"2020-08-23T09:00:00+02:00\\\",\\n  \\\"auto_checked_in\\\": false,\\n  \\\"gate\\\": null,\\n  \\\"device\\\": 1,\\n  \\\"device_id\\\": 1,\\n  \\\"type\\\": \\\"entry\\\"\\n}\\n\\n\\n\\nAn unauthorized user usually has no way to match these IDs (position) back to individual people.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"655498c3-6ec5-4f0b-aea6-853b334d05a6\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"655498c3-6ec5-4f0b-aea6-853b334d05a6\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-653\"}]}],\"references\":[{\"url\":\"https://pretix.eu/about/en/blog/20260408-release-2026-3-1/\",\"source\":\"655498c3-6ec5-4f0b-aea6-853b334d05a6\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-5600\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-08T16:02:54.453740Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-08T16:03:04.613Z\"}}], \"cna\": {\"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Pratik Karan\"}], \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"auth\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.5, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"pretix\", \"product\": \"pretix\", \"versions\": [{\"status\": \"affected\", \"version\": \"2025.10.0\", \"lessThan\": \"2026.1.2\", \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"2026.2.0\", \"lessThan\": \"2026.2.1\", \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"2026.3.0\", \"lessThan\": \"2026.3.1\", \"versionType\": \"python\"}], \"packageName\": \"pretix\", \"collectionURL\": \"https://pypi.python.org\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://pretix.eu/about/en/blog/20260408-release-2026-3-1/\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A new API endpoint introduced in pretix 2025 that is supposed to \\nreturn all check-in events of a specific event in fact returns all \\ncheck-in events belonging to the respective organizer. This allows an \\nAPI consumer to access information for all other events under the same \\norganizer, even those they should not have access to.\\n\\n\\nThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\\n\\n\\n{\\n  \\\"id\\\": 123,\\n  \\\"successful\\\": true,\\n  \\\"error_reason\\\": null,\\n  \\\"error_explanation\\\": null,\\n  \\\"position\\\": 321,\\n  \\\"datetime\\\": \\\"2020-08-23T09:00:00+02:00\\\",\\n  \\\"list\\\": 456,\\n  \\\"created\\\": \\\"2020-08-23T09:00:00+02:00\\\",\\n  \\\"auto_checked_in\\\": false,\\n  \\\"gate\\\": null,\\n  \\\"device\\\": 1,\\n  \\\"device_id\\\": 1,\\n  \\\"type\\\": \\\"entry\\\"\\n}\\n\\n\\n\\nAn unauthorized user usually has no way to match these IDs (position) back to individual people.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eA new API endpoint introduced in pretix 2025 that is supposed to \\nreturn all check-in events of a specific event in fact returns all \\ncheck-in events belonging to the respective organizer. This allows an \\nAPI consumer to access information for all other events under the same \\norganizer, even those they should not have access to.\u003c/p\u003e\\n\u003cp\u003eThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\u003c/p\u003e\\n\u003cpre\u003e\u003ccode\u003e{\\n  \\\"id\\\": 123,\\n  \\\"successful\\\": true,\\n  \\\"error_reason\\\": null,\\n  \\\"error_explanation\\\": null,\\n  \\\"position\\\": 321,\\n  \\\"datetime\\\": \\\"2020-08-23T09:00:00+02:00\\\",\\n  \\\"list\\\": 456,\\n  \\\"created\\\": \\\"2020-08-23T09:00:00+02:00\\\",\\n  \\\"auto_checked_in\\\": false,\\n  \\\"gate\\\": null,\\n  \\\"device\\\": 1,\\n  \\\"device_id\\\": 1,\\n  \\\"type\\\": \\\"entry\\\"\\n}\\n\u003c/code\u003e\u003c/pre\u003e\\n\u003cp\u003eAn unauthorized user usually has no way to match these IDs (\u003ccode\u003eposition\u003c/code\u003e) back to individual people.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-653\", \"description\": \"CWE-653 Improper isolation or compartmentalization\"}]}], \"providerMetadata\": {\"orgId\": \"655498c3-6ec5-4f0b-aea6-853b334d05a6\", \"shortName\": \"rami.io\", \"dateUpdated\": \"2026-04-08T12:24:51.602Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-5600\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-08T16:03:07.473Z\", \"dateReserved\": \"2026-04-05T12:25:54.058Z\", \"assignerOrgId\": \"655498c3-6ec5-4f0b-aea6-853b334d05a6\", \"datePublished\": \"2026-04-08T12:24:51.602Z\", \"assignerShortName\": \"rami.io\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.