Unauthenticated Access to Attendee Data in Hi.Events

Executive Summary

CVE-2026-57960 is a privacy vulnerability in the Hi.Events platform (version 1.9.0 and earlier) where the public check-in list endpoints use a short_id as the only access control mechanism.

This means that anyone who knows or obtains the short_id can make unauthenticated GET requests to the endpoint /api/public/check-in-lists/{short_id}/attendees and retrieve full attendee lists, including sensitive personal information such as email addresses, first and last names, order IDs, and ticket details.

Additionally, attackers can create or delete check-in records without authentication by sending POST or DELETE requests to the same endpoint.

The vulnerability arises because the short_id acts as a capability URL, providing brute-force resistance but no real authentication, and the URL is often shared among event volunteers or exposed in browser history, logs, or network captures.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of personally identifiable information (PII) of event attendees, including their email addresses and other sensitive details.

Attackers with knowledge of the short_id can access attendee lists without any authentication, potentially leading to privacy violations, targeted phishing attacks, or identity theft.

Moreover, attackers can manipulate check-in records by creating or deleting them without authorization, which could disrupt event operations or cause confusion.

Because the short_id URLs are often shared among event staff or volunteers, the risk of accidental exposure through logs, browser history, or network captures is increased.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability significantly impacts compliance with data protection regulations such as GDPR.

Since it allows unauthorized access to personally identifiable information (PII) without consent or proper access controls, it constitutes a violation of privacy requirements under GDPR and similar regulations.

Event organizers may unknowingly expose attendee data, which can lead to legal and regulatory consequences, including fines and reputational damage.

Recommended mitigations include removing email addresses from public endpoints, adding PINs or tokens for access, or configurable settings to control PII exposure to ensure compliance.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring network traffic or logs for unauthorized GET requests to the endpoint pattern /api/public/check-in-lists/{short_id}/attendees.

You can use commands like curl or wget to test if the endpoint is accessible without authentication by attempting to retrieve attendee data using known or guessed short_id values.

• curl -X GET https://your-hi-events-domain/api/public/check-in-lists/{short_id}/attendees
• Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP requests to the vulnerable endpoint and check for unauthorized access.
• Check server access logs for unauthenticated GET, POST, or DELETE requests to /api/public/check-in-lists/* endpoints.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the public check-in list endpoints by implementing authentication or additional access controls such as PINs or tokens.

Removing or masking personally identifiable information (PII), especially email addresses, from the public attendee data returned by these endpoints is recommended.

Limit sharing of short_id URLs and ensure they are not exposed in logs, browser histories, or publicly accessible locations.

• Apply the patch from Pull Request #1229 which removes email fields from the public attendee resource endpoint.
• Consider upgrading to a fixed version of Hi.Events where this vulnerability is addressed.

Useful 0 Not Useful 0