Payment Status Response Validation Flaw in Pretix by Pretix
CVE-2026-13222

6.3MEDIUM

Key Information:

Vendor: Pretix
Status: Pretix-oppwa
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-13222?

The Pretix ticketing system has a vulnerability in its payment integration that fails to adequately validate payment status responses from Oppwa-based payment methods. This flaw may allow an attacker to use a legitimate payment status response from one transaction and apply it to a different payment, leading to unauthorized access to multiple valid tickets without making repeated payments.

Affected Version(s)

pretix-oppwa 0 < 1.4.3

References

https://pretix.eu/about/en/blog/20260625-release-2026-5-2/

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 24, 2026

Credit

Deepjyoti Roy

CVE-2026-13222 Data

JSON