CVE-2026-5600
Received Received - Intake
Insecure Direct Object Reference in pretix 2025 API Exposes Check-in Data

Publication date: 2026-04-08

Last updated on: 2026-04-24

Assigner: rami.io

Description
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those they should not have access to. These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example: { "id": 123, "successful": true, "error_reason": null, "error_explanation": null, "position": 321, "datetime": "2020-08-23T09:00:00+02:00", "list": 456, "created": "2020-08-23T09:00:00+02:00", "auto_checked_in": false, "gate": null, "device": 1, "device_id": 1, "type": "entry" } An unauthorized user usually has no way to match these IDs (position) back to individual people.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5600
EUVD
EUVD-2026-20463
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
pretix pretix From 2025.10.0 (inc) to 2026.1.2 (exc)
pretix pretix From 2026.2.0 (inc) to 2026.2.1 (exc)
pretix pretix From 2026.3.0 (inc) to 2026.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-653 The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthorized API consumers to access sensitive check-in event data across multiple events under the same organizer, which may include detailed records of ticket scans and associated metadata.

Such unauthorized data exposure could potentially lead to non-compliance with data protection regulations like GDPR or HIPAA, as it involves improper access control and leakage of potentially sensitive event-related information.

However, the provided information does not explicitly state the impact on compliance with these standards or any regulatory consequences.

Executive Summary

CVE-2026-5600 is a medium-severity vulnerability in pretix introduced in version 2025. It involves an API endpoint that was intended to return all check-in events for a specific event. However, due to improper access control, this endpoint instead returns all check-in events for the entire organizer. This means an unauthorized API consumer can access sensitive check-in data across multiple events under the same organizer, which they should not have permission to view.

The exposed data includes detailed records of ticket scans such as the time and result of each scan, ticket ID, position, datetime, list ID, creation time, whether the check-in was automatic, gate, and device identifiers.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive event check-in data across multiple events managed by the same organizer. An attacker or unauthorized API consumer could access detailed ticket scan information, potentially compromising event security and privacy.

Although the exposed data does not directly link ticket positions to individual people, the information about ticket scans, times, and devices could still be used maliciously to infer patterns or gain unauthorized insights into event attendance.

Detection Guidance

This vulnerability involves an API endpoint in pretix that returns check-in event data for all events under an organizer instead of a specific event. Detection would involve monitoring API calls to this endpoint and checking if responses include data beyond the requested event scope.

Specifically, you can inspect network traffic or API logs for requests to the check-in events API endpoint and verify if the returned data contains check-in records from multiple events rather than a single event.

Since the vulnerability is related to unauthorized access to data, commands or tools that capture and analyze HTTP API traffic (such as curl, wget, or API testing tools like Postman) can be used to manually query the endpoint and inspect the returned JSON data for unexpected event data.

  • Use curl to query the API endpoint for a specific event and inspect if the response contains check-in data from other events: curl -H "Authorization: Bearer <token>" https://<pretix-server>/api/checkin/events/<event_id>/
  • Analyze API logs or network captures (e.g., using tcpdump or Wireshark) to identify responses containing check-in data that includes multiple event IDs or organizer-wide data.
Mitigation Strategies

The primary mitigation step is to update pretix to a fixed version where this vulnerability has been resolved.

  • Upgrade pretix to version 2026.3.1, 2026.2.1, or 2026.1.2 or later, as these versions contain the fix for this vulnerability.
  • If you are using the pretix Hosted service, no action is required as the service has already been protected.

Until the update is applied, restrict access to the vulnerable API endpoint to trusted users only and monitor API usage for suspicious access patterns.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5600. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart