CVE-2026-5600 (GCVE-0-2026-5600)
Vulnerability from cvelistv5
Published
2026-04-08 12:24
Modified
2026-04-08 16:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-653 - Improper isolation or compartmentalization
Summary
A new API endpoint introduced in pretix 2025 that is supposed to
return all check-in events of a specific event in fact returns all
check-in events belonging to the respective organizer. This allows an
API consumer to access information for all other events under the same
organizer, even those they should not have access to.
These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:
{
"id": 123,
"successful": true,
"error_reason": null,
"error_explanation": null,
"position": 321,
"datetime": "2020-08-23T09:00:00+02:00",
"list": 456,
"created": "2020-08-23T09:00:00+02:00",
"auto_checked_in": false,
"gate": null,
"device": 1,
"device_id": 1,
"type": "entry"
}
An unauthorized user usually has no way to match these IDs (position) back to individual people.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5600",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T16:02:54.453740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:03:07.473Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.1.2",
"status": "affected",
"version": "2025.10.0",
"versionType": "python"
},
{
"lessThan": "2026.2.1",
"status": "affected",
"version": "2026.2.0",
"versionType": "python"
},
{
"lessThan": "2026.3.1",
"status": "affected",
"version": "2026.3.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pratik Karan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\u003c/p\u003e\n\u003cp\u003eThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e{\n \"id\": 123,\n \"successful\": true,\n \"error_reason\": null,\n \"error_explanation\": null,\n \"position\": 321,\n \"datetime\": \"2020-08-23T09:00:00+02:00\",\n \"list\": 456,\n \"created\": \"2020-08-23T09:00:00+02:00\",\n \"auto_checked_in\": false,\n \"gate\": null,\n \"device\": 1,\n \"device_id\": 1,\n \"type\": \"entry\"\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAn unauthorized user usually has no way to match these IDs (\u003ccode\u003eposition\u003c/code\u003e) back to individual people.\u003c/p\u003e"
}
],
"value": "A new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\n\n\nThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\n\n\n{\n \"id\": 123,\n \"successful\": true,\n \"error_reason\": null,\n \"error_explanation\": null,\n \"position\": 321,\n \"datetime\": \"2020-08-23T09:00:00+02:00\",\n \"list\": 456,\n \"created\": \"2020-08-23T09:00:00+02:00\",\n \"auto_checked_in\": false,\n \"gate\": null,\n \"device\": 1,\n \"device_id\": 1,\n \"type\": \"entry\"\n}\n\n\n\nAn unauthorized user usually has no way to match these IDs (position) back to individual people."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "auth"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653 Improper isolation or compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T12:24:51.602Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260408-release-2026-3-1/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-5600",
"datePublished": "2026-04-08T12:24:51.602Z",
"dateReserved": "2026-04-05T12:25:54.058Z",
"dateUpdated": "2026-04-08T16:03:07.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-5600\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-08T16:02:54.453740Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-08T16:03:04.613Z\"}}], \"cna\": {\"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Pratik Karan\"}], \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"auth\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.5, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"pretix\", \"product\": \"pretix\", \"versions\": [{\"status\": \"affected\", \"version\": \"2025.10.0\", \"lessThan\": \"2026.1.2\", \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"2026.2.0\", \"lessThan\": \"2026.2.1\", \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"2026.3.0\", \"lessThan\": \"2026.3.1\", \"versionType\": \"python\"}], \"packageName\": \"pretix\", \"collectionURL\": \"https://pypi.python.org\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://pretix.eu/about/en/blog/20260408-release-2026-3-1/\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A new API endpoint introduced in pretix 2025 that is supposed to \\nreturn all check-in events of a specific event in fact returns all \\ncheck-in events belonging to the respective organizer. This allows an \\nAPI consumer to access information for all other events under the same \\norganizer, even those they should not have access to.\\n\\n\\nThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\\n\\n\\n{\\n \\\"id\\\": 123,\\n \\\"successful\\\": true,\\n \\\"error_reason\\\": null,\\n \\\"error_explanation\\\": null,\\n \\\"position\\\": 321,\\n \\\"datetime\\\": \\\"2020-08-23T09:00:00+02:00\\\",\\n \\\"list\\\": 456,\\n \\\"created\\\": \\\"2020-08-23T09:00:00+02:00\\\",\\n \\\"auto_checked_in\\\": false,\\n \\\"gate\\\": null,\\n \\\"device\\\": 1,\\n \\\"device_id\\\": 1,\\n \\\"type\\\": \\\"entry\\\"\\n}\\n\\n\\n\\nAn unauthorized user usually has no way to match these IDs (position) back to individual people.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eA new API endpoint introduced in pretix 2025 that is supposed to \\nreturn all check-in events of a specific event in fact returns all \\ncheck-in events belonging to the respective organizer. This allows an \\nAPI consumer to access information for all other events under the same \\norganizer, even those they should not have access to.\u003c/p\u003e\\n\u003cp\u003eThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\u003c/p\u003e\\n\u003cpre\u003e\u003ccode\u003e{\\n \\\"id\\\": 123,\\n \\\"successful\\\": true,\\n \\\"error_reason\\\": null,\\n \\\"error_explanation\\\": null,\\n \\\"position\\\": 321,\\n \\\"datetime\\\": \\\"2020-08-23T09:00:00+02:00\\\",\\n \\\"list\\\": 456,\\n \\\"created\\\": \\\"2020-08-23T09:00:00+02:00\\\",\\n \\\"auto_checked_in\\\": false,\\n \\\"gate\\\": null,\\n \\\"device\\\": 1,\\n \\\"device_id\\\": 1,\\n \\\"type\\\": \\\"entry\\\"\\n}\\n\u003c/code\u003e\u003c/pre\u003e\\n\u003cp\u003eAn unauthorized user usually has no way to match these IDs (\u003ccode\u003eposition\u003c/code\u003e) back to individual people.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-653\", \"description\": \"CWE-653 Improper isolation or compartmentalization\"}]}], \"providerMetadata\": {\"orgId\": \"655498c3-6ec5-4f0b-aea6-853b334d05a6\", \"shortName\": \"rami.io\", \"dateUpdated\": \"2026-04-08T12:24:51.602Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-5600\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-08T16:03:07.473Z\", \"dateReserved\": \"2026-04-05T12:25:54.058Z\", \"assignerOrgId\": \"655498c3-6ec5-4f0b-aea6-853b334d05a6\", \"datePublished\": \"2026-04-08T12:24:51.602Z\", \"assignerShortName\": \"rami.io\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…