{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5600", "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "state": "PUBLISHED", "assignerShortName": "rami.io", "dateReserved": "2026-04-05T12:25:54.058Z", "datePublished": "2026-04-08T12:24:51.602Z", "dateUpdated": "2026-04-08T16:03:07.473Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "shortName": "rami.io", "dateUpdated": "2026-04-08T12:24:51.602Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-653", "description": "CWE-653 Improper isolation or compartmentalization", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "auth"}]}], "affected": [{"vendor": "pretix", "product": "pretix", "collectionURL": "https://pypi.python.org", "packageName": "pretix", "versions": [{"status": "affected", "version": "2025.10.0", "lessThan": "2026.1.2", "versionType": "python"}, {"status": "affected", "version": "2026.2.0", "lessThan": "2026.2.1", "versionType": "python"}, {"status": "affected", "version": "2026.3.0", "lessThan": "2026.3.1", "versionType": "python"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\n\n\nThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\n\n\n{\n \"id\": 123,\n \"successful\": true,\n \"error_reason\": null,\n \"error_explanation\": null,\n \"position\": 321,\n \"datetime\": \"2020-08-23T09:00:00+02:00\",\n \"list\": 456,\n \"created\": \"2020-08-23T09:00:00+02:00\",\n \"auto_checked_in\": false,\n \"gate\": null,\n \"device\": 1,\n \"device_id\": 1,\n \"type\": \"entry\"\n}\n\n\n\nAn unauthorized user usually has no way to match these IDs (position) back to individual people.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.</p>\n<p>These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:</p>\n<pre><code>{\n \"id\": 123,\n \"successful\": true,\n \"error_reason\": null,\n \"error_explanation\": null,\n \"position\": 321,\n \"datetime\": \"2020-08-23T09:00:00+02:00\",\n \"list\": 456,\n \"created\": \"2020-08-23T09:00:00+02:00\",\n \"auto_checked_in\": false,\n \"gate\": null,\n \"device\": 1,\n \"device_id\": 1,\n \"type\": \"entry\"\n}\n</code></pre>\n<p>An unauthorized user usually has no way to match these IDs (<code>position</code>) back to individual people.</p>"}]}], "references": [{"url": "https://pretix.eu/about/en/blog/20260408-release-2026-3-1/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.5, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H"}}], "credits": [{"lang": "en", "value": "Pratik Karan", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T16:02:54.453740Z", "id": "CVE-2026-5600", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:03:07.473Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5600", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T16:02:54.453740Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:03:04.613Z"}}], "cna": {"source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Pratik Karan"}], "impacts": [{"descriptions": [{"lang": "en", "value": "auth"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "pretix", "product": "pretix", "versions": [{"status": "affected", "version": "2025.10.0", "lessThan": "2026.1.2", "versionType": "python"}, {"status": "affected", "version": "2026.2.0", "lessThan": "2026.2.1", "versionType": "python"}, {"status": "affected", "version": "2026.3.0", "lessThan": "2026.3.1", "versionType": "python"}], "packageName": "pretix", "collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://pretix.eu/about/en/blog/20260408-release-2026-3-1/"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "A new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\n\n\nThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\n\n\n{\n \"id\": 123,\n \"successful\": true,\n \"error_reason\": null,\n \"error_explanation\": null,\n \"position\": 321,\n \"datetime\": \"2020-08-23T09:00:00+02:00\",\n \"list\": 456,\n \"created\": \"2020-08-23T09:00:00+02:00\",\n \"auto_checked_in\": false,\n \"gate\": null,\n \"device\": 1,\n \"device_id\": 1,\n \"type\": \"entry\"\n}\n\n\n\nAn unauthorized user usually has no way to match these IDs (position) back to individual people.", "supportingMedia": [{"type": "text/html", "value": "<p>A new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.</p>\n<p>These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:</p>\n<pre><code>{\n \"id\": 123,\n \"successful\": true,\n \"error_reason\": null,\n \"error_explanation\": null,\n \"position\": 321,\n \"datetime\": \"2020-08-23T09:00:00+02:00\",\n \"list\": 456,\n \"created\": \"2020-08-23T09:00:00+02:00\",\n \"auto_checked_in\": false,\n \"gate\": null,\n \"device\": 1,\n \"device_id\": 1,\n \"type\": \"entry\"\n}\n</code></pre>\n<p>An unauthorized user usually has no way to match these IDs (<code>position</code>) back to individual people.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-653", "description": "CWE-653 Improper isolation or compartmentalization"}]}], "providerMetadata": {"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "shortName": "rami.io", "dateUpdated": "2026-04-08T12:24:51.602Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5600", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:03:07.473Z", "dateReserved": "2026-04-05T12:25:54.058Z", "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "datePublished": "2026-04-08T12:24:51.602Z", "assignerShortName": "rami.io"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*", "matchCriteriaId": "467C4FAB-6446-4716-9C03-7AC9B72ECF58", "versionEndExcluding": "2026.1.2", "versionStartIncluding": "2025.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*", "matchCriteriaId": "7BFC10B5-5C62-4E2B-A387-9AB3F5A06F75", "versionEndExcluding": "2026.2.1", "versionStartIncluding": "2026.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*", "matchCriteriaId": "8DBC4AF8-B234-4ACB-BB04-06CC103DFF47", "versionEndExcluding": "2026.3.1", "versionStartIncluding": "2026.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\n\n\nThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\n\n\n{\n \"id\": 123,\n \"successful\": true,\n \"error_reason\": null,\n \"error_explanation\": null,\n \"position\": 321,\n \"datetime\": \"2020-08-23T09:00:00+02:00\",\n \"list\": 456,\n \"created\": \"2020-08-23T09:00:00+02:00\",\n \"auto_checked_in\": false,\n \"gate\": null,\n \"device\": 1,\n \"device_id\": 1,\n \"type\": \"entry\"\n}\n\n\n\nAn unauthorized user usually has no way to match these IDs (position) back to individual people."}], "id": "CVE-2026-5600", "lastModified": "2026-04-24T17:46:14.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "type": "Secondary"}]}, "published": "2026-04-08T13:16:43.543", "references": [{"source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "tags": ["Vendor Advisory"], "url": "https://pretix.eu/about/en/blog/20260408-release-2026-3-1/"}], "sourceIdentifier": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-653"}], "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2025.10.0,2026.1.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.3.0,2026.3.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pretix", "source": "cna", "vendor": "pretix"}, "product": "pretix", "vendor": "pretix"}], "analysis": {"en": {"generated_at": "2026-04-08T13:50:34.782306+00:00", "value": {"mitigation_remediation": ["Upgrade pretix to version 2026.3.x or later to apply the vendor\u2011provided fix", "Restrict the API endpoint so that only authenticated users with explicit ownership of the requested event or organizer can retrieve data", "Revoke or rotate any long\u2011lived API tokens that existed prior to the patch", "Monitor API usage for anomalous patterns and enforce rate limiting to reduce potential abuse"], "summary": {"action": "Patch", "impact": "Unauthorized disclosure of event check\u2011in data"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the pretix event management platform. All instances that have incorporated the 2025 API implementation are susceptible, including any version running from 2025 onward until the issue is patched. The product identifier is pretix:pretix and the specific affected versions are those that have not yet applied the 2026.3.x update released to address the endpoint bug.", "description_and_impact": "A newly introduced API endpoint in pretix 2025 was intended to return check\u2011in events for a single event but, due to a logic error, returns all check\u2011in events belonging to the same organizer. The response contains detailed records of each ticket scan, including timestamps, gate and device identifiers, success indicators, and scan list information. The exposed data leaks attendance patterns and potentially sensitive event information to anyone who can invoke the endpoint. This constitutes a lateral information disclosure weakness identified as CWE\u2011653.", "risk_and_exploitability": "The CVSS score of 5.5 signals a moderate risk primarily rooted in privacy concern rather than direct system compromise. EPSS data is unavailable and the vulnerability is not in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is through an unauthorized or improperly scoped API call; it is inferred that an attacker would need an authenticated API client or a compromised token to access the endpoint, yet even that may not be required if the endpoint does not enforce proper ownership checks. The exposure can lead to regulatory, reputational, or legal repercussions for event organizers, especially in jurisdictions with strict data protection laws."}}}}, "created": "2026-04-08T19:27:07.585251+00:00", "title": "API Endpoint Exposes All Check\u2011In Events to Unauthorized Users", "updated": "2026-04-08T19:39:39.059469+00:00", "vendors": ["pretix", "pretix$PRODUCT$pretix"]}