Session Management Flaw in Pretix Payment Integration Plugin by Pretix
CVE-2026-13602

7.7HIGH

Key Information:

Vendor

Pretix

Vendor
CVE Published:
1 July 2026

What is CVE-2026-13602?

The Pretix payment integration plugins contain vulnerabilities that allow an attacker to exploit session management flaws. By manipulating cryptographically signed session parameters, an attacker can gain unauthorized access to backend systems and impersonate any user. The issue arises from insufficient validation of session parameters, enabling potential parameter injection attacks. Additionally, the overlap in cryptographic keys across system features can lead to exploitation. Affected plugins have been updated to implement strict validation measures, ensuring that only legitimate session parameters are processed and enhancing overall security.

Affected Version(s)

pretix 4.14.0 < 2026.3.5

pretix 2026.4.0 < 2026.4.5

pretix 2026.5.0 < 2026.5.3

References

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.