CVE-2026-11764
Deferred Deferred - Pending Action
Exposure of Gift Card Secrets in Media Export

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: rami.io

Description
When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-11764
EUVD
EUVD-2026-35407
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pretix pretix 2026.5.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-280 The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows the export of full secrets of connected gift cards even when the user does not have permission to view them, which circumvents permission boundaries.

Such unauthorized exposure of sensitive information could potentially lead to non-compliance with data protection regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive data.

However, the provided information does not explicitly state the impact on compliance with these standards.

Executive Summary

This vulnerability occurs when exporting all reusable media, where the secrets of connected gift cards are included in the export even if the user creating the export does not have permission to view gift cards.

This behavior is inconsistent with the user interface and API, which only show the first letters of the gift card secret, thereby allowing users to circumvent permission boundaries.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive gift card secrets to users who should not have access to them.

Such unauthorized access can compromise the security of gift cards, potentially allowing misuse or fraud.

Mitigation Strategies

To mitigate this vulnerability, you should update your pretix installation to version 2026.5.1 as soon as possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11764. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart