CVE-2026-9712 (GCVE-0-2026-9712)
Vulnerability from cvelistv5
Published
2026-05-27 14:35
Modified
2026-05-28 15:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
When creating an export through the pretix API, API clients are
returned an UUID value for their export job (a long, random string like
35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client
can then request the actual file for download. The same kind of UUID is
used in other places in pretix when temporary files are generated for
internal use or download.
One remaining API endpoint, however, wrongfully did not verify if the
UUID used for download actually belongs to a file that is supposed to
be downloadable and belongs to the correct user. In reality, this is
hard to exploit because an attacker would need to have access to a valid
UUID for the file they desire which is unlikely to happen without a
separate security problem giving them access to logs etc.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T15:39:22.313424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:39:28.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.2.0",
"status": "affected",
"version": "2024.10.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.2.2",
"status": "unaffected"
}
],
"lessThan": "2026.3.0",
"status": "affected",
"version": "2026.2.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.3.2",
"status": "unaffected"
}
],
"lessThan": "2026.4.0",
"status": "affected",
"version": "2026.3.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.4.2",
"status": "unaffected"
}
],
"lessThan": "2026.5.0",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Deepjyoti Roy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWhen creating an export through the pretix API, API clients are \nreturned an UUID value for their export job (a long, random string like \n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \ncan then request the actual file for download. The same kind of UUID is \nused in other places in pretix when temporary files are generated for \ninternal use or download.\u003c/p\u003e\n\u003cp\u003eOne remaining API endpoint, however, wrongfully did not verify if the\n UUID used for download actually belongs to a file that is supposed to \nbe downloadable and belongs to the correct user. In reality, this is \nhard to exploit because an attacker would need to have access to a valid\n UUID for the file they desire which is unlikely to happen without a \nseparate security problem giving them access to logs etc.\u003c/p\u003e"
}
],
"value": "When creating an export through the pretix API, API clients are \nreturned an UUID value for their export job (a long, random string like \n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \ncan then request the actual file for download. The same kind of UUID is \nused in other places in pretix when temporary files are generated for \ninternal use or download.\n\n\n\n\nOne remaining API endpoint, however, wrongfully did not verify if the\n UUID used for download actually belongs to a file that is supposed to \nbe downloadable and belongs to the correct user. In reality, this is \nhard to exploit because an attacker would need to have access to a valid\n UUID for the file they desire which is unlikely to happen without a \nseparate security problem giving them access to logs etc."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 3.8,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T14:35:58.857Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260527-release-2026-4-2/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insecure direct object reference",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-9712",
"datePublished": "2026-05-27T14:35:58.857Z",
"dateReserved": "2026-05-27T14:18:33.470Z",
"dateUpdated": "2026-05-28T15:39:28.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"655498c3-6ec5-4f0b-aea6-853b334d05a6\", \"shortName\": \"rami.io\", \"dateUpdated\": \"2026-05-27T14:35:58.857Z\"}, \"title\": \"Insecure direct object reference\", \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639 Authorization Bypass Through User-Controlled Key\", \"type\": \"CWE\"}]}], \"affected\": [{\"vendor\": \"pretix\", \"product\": \"pretix\", \"collectionURL\": \"https://pypi.org/\", \"packageName\": \"pretix\", \"repo\": \"https://github.com/pretix/pretix\", \"versions\": [{\"status\": \"affected\", \"version\": \"2024.10.0\", \"lessThan\": \"2026.2.0\", \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"2026.2.0\", \"lessThan\": \"2026.3.0\", \"changes\": [{\"at\": \"2026.2.2\", \"status\": \"unaffected\"}], \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"2026.3.0\", \"lessThan\": \"2026.4.0\", \"changes\": [{\"at\": \"2026.3.2\", \"status\": \"unaffected\"}], \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"2026.4.0\", \"lessThan\": \"2026.5.0\", \"changes\": [{\"at\": \"2026.4.2\", \"status\": \"unaffected\"}], \"versionType\": \"python\"}], \"defaultStatus\": \"unaffected\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"When creating an export through the pretix API, API clients are \\nreturned an UUID value for their export job (a long, random string like \\n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \\ncan then request the actual file for download. The same kind of UUID is \\nused in other places in pretix when temporary files are generated for \\ninternal use or download.\\n\\n\\n\\n\\nOne remaining API endpoint, however, wrongfully did not verify if the\\n UUID used for download actually belongs to a file that is supposed to \\nbe downloadable and belongs to the correct user. In reality, this is \\nhard to exploit because an attacker would need to have access to a valid\\n UUID for the file they desire which is unlikely to happen without a \\nseparate security problem giving them access to logs etc.\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"\u003cp\u003eWhen creating an export through the pretix API, API clients are \\nreturned an UUID value for their export job (a long, random string like \\n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \\ncan then request the actual file for download. The same kind of UUID is \\nused in other places in pretix when temporary files are generated for \\ninternal use or download.\u003c/p\u003e\\n\u003cp\u003eOne remaining API endpoint, however, wrongfully did not verify if the\\n UUID used for download actually belongs to a file that is supposed to \\nbe downloadable and belongs to the correct user. In reality, this is \\nhard to exploit because an attacker would need to have access to a valid\\n UUID for the file they desire which is unlikely to happen without a \\nseparate security problem giving them access to logs etc.\u003c/p\u003e\"}]}], \"references\": [{\"url\": \"https://pretix.eu/about/en/blog/20260527-release-2026-4-2/\", \"tags\": [\"vendor-advisory\"]}], \"metrics\": [{\"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}], \"cvssV4_0\": {\"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"exploitMaturity\": \"UNREPORTED\", \"Safety\": \"NOT_DEFINED\", \"Automatable\": \"NOT_DEFINED\", \"Recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"version\": \"4.0\", \"baseSeverity\": \"LOW\", \"baseScore\": 3.8, \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U\"}}], \"credits\": [{\"lang\": \"en\", \"value\": \"Deepjyoti Roy\", \"type\": \"finder\"}], \"source\": {\"discovery\": \"EXTERNAL\"}, \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-9712\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-28T15:39:22.313424Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-28T15:39:25.263Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-9712\", \"assignerOrgId\": \"655498c3-6ec5-4f0b-aea6-853b334d05a6\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"rami.io\", \"dateReserved\": \"2026-05-27T14:18:33.470Z\", \"datePublished\": \"2026-05-27T14:35:58.857Z\", \"dateUpdated\": \"2026-05-28T15:39:28.686Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…