Description
When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://pretix.eu/about/en/blog/20260609-release-2026-5-1/
Scores
CVSS v4
3.6
EPSS
0.0023
EPSS Percentile
13.5%
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-280
Status
published
Products (4)
pretix/pretix
2024.1.0 - 2026.3.0
pretix/pretix
2026.3.0 - 2026.4.0
pretix/pretix
2026.4.0 - 2026.5.0
pretix/pretix
2026.5.0 - 2026.6.0
Published
Jun 09, 2026
Tracked Since
Jun 09, 2026