CVE-2026-5599

HIGH

API allows deletion of users of other instance

Title source: cna
STIX 2.1

Description

A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds.

Scores

CVSS v4 7.3
EPSS 0.0025
EPSS Percentile 15.8%
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-653
Status published
Products (1)
pretix/Venueless 0.0.0 - 02b9cbe5
Published Apr 05, 2026
Tracked Since Apr 05, 2026