Platform
python
Component
pretix
Fixed in
2026.1.2
2026.2.1
2026.3.1
2026.3.1
2026.1.2
2026.1.2
CVE-2026-5600 is an information disclosure vulnerability affecting pretix versions up to 2026.3.0. This flaw allows unauthorized access to sensitive check-in event data, potentially revealing ticket scan times, results, and associated ticket IDs. The vulnerability stems from a flawed API endpoint that returns all check-in events for an organizer, rather than just those belonging to a specific event. A patch is available in version 2026.3.1.
The primary impact of CVE-2026-5600 is the unauthorized disclosure of sensitive information related to event check-ins. An attacker exploiting this vulnerability could gain access to records detailing when tickets were scanned, whether the scan was successful, and the ID of the matched ticket. This data could be used for various malicious purposes, including identifying attendees, reconstructing event attendance patterns, and potentially correlating this information with other data sources to build a more complete profile of individuals. While direct financial loss is unlikely, the exposure of attendee data raises privacy concerns and could damage the reputation of the event organizer. The blast radius extends to all events managed by the affected organizer, potentially impacting a large number of users.
CVE-2026-5600 was publicly disclosed on April 8, 2026. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit given access to the pretix API. The vulnerability's impact is primarily related to data privacy, rather than system compromise.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
The primary mitigation for CVE-2026-5600 is to upgrade pretix to version 2026.3.1 or later, which contains the fix for this vulnerability. If an immediate upgrade is not possible, consider restricting access to the affected API endpoint using network-level firewalls or access control lists. Implement strict authentication and authorization controls to ensure that only authorized users can access the API. Regularly review API access logs for any suspicious activity. After upgrading, confirm the fix by attempting to access the affected API endpoint with a user account that should not have access; the endpoint should return an authorization error.
Update pretix to version 2026.3.1 or later to fix the vulnerability. This update corrects an issue that allowed unauthorized access to check-in data for other events within the same organization.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5600 is a vulnerability in pretix versions up to 2026.3.0 that allows unauthorized access to check-in event data through a flawed API endpoint. Severity is pending evaluation.
You are affected if you are using pretix version 2026.3.0 or earlier. Check your pretix version and upgrade if necessary.
Upgrade pretix to version 2026.3.1 or later. If an upgrade is not immediately possible, restrict access to the vulnerable API endpoint.
There is currently no indication of active exploitation, but the vulnerability's nature suggests it could be easily exploited.
Refer to the pretix security advisory on their website for detailed information and updates: [pretix security advisory URL - replace with actual URL when available]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.