cvedb.io
CVE-2026-5600
MEDIUM · CVSS 4.3
EPSS exploitation probability: 0%
Published 2026-04-08T13:16:43.543 · Last modified 2026-06-17T10:59:20.780

Summary

A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those they should not have access to. These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example: { "id": 123, "successful": true, "error_reason": null, "error_explanation": null, "position": 321, "datetime": "2020-08-23T09:00:00+02:00", "list": 456, "created": "2020-08-23T09:00:00+02:00", "auto_checked_in": false, "gate": null, "device": 1, "device_id": 1, "type": "entry" } An unauthorized user usually

Affected products

pretix — pretix

Does this affect you?

Add your gear to cvedb and we'll alert you only when pretix ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.