Data exposed without proper permission
CVE-2026-11764

3.6LOW

Key Information:

Vendor: Pretix
Status: Pretix
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-11764?

When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.

Affected Version(s)

pretix 2024.1.0 < 2026.3.0

pretix 2026.3.0 < 2026.4.0

pretix 2026.4.0 < 2026.5.0

References

https://pretix.eu/about/en/blog/20260609-release-2026-5-1/

vendor-advisory

CVSS V4

Score:

3.6

Severity:

LOW

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
Jun 9, 2026

Credit

Mr. JDH

CVE-2026-11764 Data

JSON

Pretix

What is CVE-2026-11764?

Affected Version(s)

References

CVSS V4

Timeline

Credit