Insecure Payment Integration in Pretix Plugin for VR Payment and Hobex
CVE-2026-13603
What is CVE-2026-13603?
The pretix-oppwa plugin has a vulnerability related to its payment integration capabilities, specifically with VR Payment and Hobex. It fails to securely manage URL parameters during the redirect process from payment providers. An attacker can manipulate the resourcePath parameter in the request, potentially allowing them to redirect API calls to an unauthorized server. This flaw could lead to the exposure of the access token, giving malicious actors unauthorized access to sensitive data within the payment provider’s systems. The issue has been resolved in the latest update, which enforces strict validation of the API URL to prevent such attacks. Users are advised to reset their access tokens after applying the patch.
Affected Version(s)
pretix-oppwa 0 < 1.4.4
