CVE-2026-9712
Deferred Deferred - Pending Action
Insecure Direct Object Reference in Pretix Export API

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: rami.io

Description
When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places in pretix when temporary files are generated for internal use or download. One remaining API endpoint, however, wrongfully did not verify if the UUID used for download actually belongs to a file that is supposed to be downloadable and belongs to the correct user. In reality, this is hard to exploit because an attacker would need to have access to a valid UUID for the file they desire which is unlikely to happen without a separate security problem giving them access to logs etc.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-9712
EUVD
EUVD-2026-32530
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pretix pretix 2026.4.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the pretix API when creating an export job. The API returns a UUID to the client, which is used to request the export file for download. However, one API endpoint does not properly verify whether the UUID used for downloading a file actually belongs to a file that should be downloadable or to the correct user.

This means that if an attacker obtains a valid UUID for a file, they might be able to download files they are not authorized to access. However, exploiting this vulnerability is difficult because obtaining a valid UUID without another security issue (such as access to logs) is unlikely.

Impact Analysis

The impact of this vulnerability is that an attacker who manages to obtain a valid UUID could potentially download files they should not have access to. This could lead to unauthorized disclosure of sensitive information.

However, the vulnerability is rated with a relatively low severity (CVSS 3.8), and exploitation is considered hard because it requires access to a valid UUID, which is unlikely without another security flaw.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability, you should update your pretix installation to version 2026.4.2 or later, which contains the security fix addressing this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9712. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart