API Vulnerability in Pretix Event Management Software by Pretix
CVE-2026-5600

5.5MEDIUM

Key Information:

Vendor: Pretix
Status: Pretix
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-5600?

A flaw in the newly introduced API endpoint of Pretix allows unauthorized access to check-in event data across multiple events under the same organizer. The endpoint, intended to provide details for specific events, inadvertently returns information on all events managed by the same organizer. This can lead to unauthorized exposure of sensitive data, including ticket scan results, timestamps, and ticket IDs. Thus, an API consumer can potentially access information that should remain confidential, posing significant risks to user privacy.

Affected Version(s)

pretix 2025.10.0 < 2026.1.2

pretix 2026.2.0 < 2026.2.1

pretix 2026.3.0 < 2026.3.1

References

https://pretix.eu/about/en/blog/20260408-release-2026-3-1/

CVSS V4

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 5, 2026

Credit

Pratik Karan

CVE-2026-5600 Data

JSON