API Misconfiguration in Pretix Allows Unauthorized File Access
CVE-2026-9712

3.8LOW

Key Information:

Vendor: Pretix
Status: Pretix
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-9712?

A misconfiguration in the Pretix API allows API clients to use UUIDs to download files without proper verification of ownership. Typically, UUIDs generated for export jobs and temporary files are securely managed; however, one API endpoint fails to check if the UUID belongs to the correct user. While exploiting this issue may be difficult, as it requires prior access to valid UUIDs, the vulnerability poses a risk of unauthorized file access if such UUIDs are obtained. Users are advised to remain vigilant and monitor their access controls.

Affected Version(s)

pretix 2024.10.0 < 2026.2.0

pretix 2026.2.0 < 2026.3.0

pretix 2026.3.0 < 2026.4.0

References

https://pretix.eu/about/en/blog/20260527-release-2026-4-2/

vendor-advisory

CVSS V4

Score:

3.8

Severity:

LOW

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 27, 2026

Credit

Deepjyoti Roy

CVE-2026-9712 Data

JSON