CVE-2026-9712
Received Received - Intake
BaseFortify

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: rami.io

Description
When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places in pretix when temporary files are generated for internal use or download. One remaining API endpoint, however, wrongfully did not verify if the UUID used for download actually belongs to a file that is supposed to be downloadable and belongs to the correct user. In reality, this is hard to exploit because an attacker would need to have access to a valid UUID for the file they desire which is unlikely to happen without a separate security problem giving them access to logs etc.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-27
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-9712
EUVD
EUVD-2026-32530
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the pretix API when creating an export job. The API returns a UUID to the client, which is used to request the export file for download. However, one API endpoint does not properly verify whether the UUID used for downloading a file actually belongs to a file that should be downloadable or to the correct user.

This means that if an attacker obtains a valid UUID for a file, they might be able to download files they are not authorized to access. However, exploiting this vulnerability is difficult because obtaining a valid UUID without another security issue (such as access to logs) is unlikely.


How can this vulnerability impact me? :

The impact of this vulnerability is that an attacker who manages to obtain a valid UUID could potentially download files they should not have access to. This could lead to unauthorized disclosure of sensitive information.

However, the vulnerability is rated with a relatively low severity (CVSS 3.8), and exploitation is considered hard because it requires access to a valid UUID, which is unlikely without another security flaw.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart