CVE-2026-5599

HIGH

API allows deletion of users of other instance

Title source: cna

Description

A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds.

References (1)

Scores

CVSS v4 7.3
EPSS 0.0005
EPSS Percentile 14.4%
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H

Details

CWE
CWE-653
Status published
Products (1)
pretix/Venueless 0.0.0 - 02b9cbe5
Published Apr 05, 2026
Tracked Since Apr 05, 2026