CVE-2026-13603
Received Received - Intake

Insecure API URL Handling in pretix-oppwa Payment Integration

Vulnerability report for CVE-2026-13603, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: rami.io

Description

The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following their official documentation, includes a step where the user is redirected from the payment provider back to our system with a query parameter like ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath. Our plugin pretix-oppwa did so insecurely by concatenating the parameter form the URL to the base domain of the API without further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different server instead. Since the request includes the access token (API key) of the Oppwa account, this would leak the access token, giving access to data contained in the payment provider's system. This is fixed with the release today by strictly validating the given API URL. After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
pretix pretix 2026.5.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to leak the access token (API key) of the Oppwa account by exploiting insecure URL concatenation, potentially exposing sensitive payment data contained in the payment provider's system.

Such unauthorized access and data leakage could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and payment data to prevent unauthorized disclosure.

Therefore, this vulnerability poses a risk to compliance with common standards and regulations that mandate the protection of sensitive payment and personal information.

Detection Guidance

This vulnerability involves the insecure concatenation of the resourcePath query parameter to the baseUrl without proper validation, which can lead to leaking the Oppwa API access token to an attacker-controlled server.

To detect exploitation attempts on your network or system, you can monitor HTTP requests that include suspicious or unexpected resourcePath query parameters, especially those redirecting to external or non-standard domains.

Suggested commands to help detect potential exploitation attempts include:

  • Using network traffic analysis tools (e.g., tcpdump or Wireshark) to filter HTTP requests containing 'resourcePath=' in the URL.
  • Example tcpdump command: tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep 'resourcePath='
  • Checking web server logs for requests with query parameters containing 'resourcePath=' and verifying if the parameter value points to unexpected or external URLs.
  • Example grep command on access logs: grep 'resourcePath=' /var/log/nginx/access.log

Additionally, verify that your pretix installation is updated to version 2026.5.3 or later, which includes the fix for this vulnerability.

Executive Summary

The vulnerability exists in the pretix-oppwa payment integration plugin, which supports payment providers like VR Payment and Hobex. The plugin insecurely handles a URL query parameter called resourcePath, which is used to fetch the status of a payment transaction. Instead of properly validating this parameter, the plugin concatenates it directly to the base API URL without ensuring a trailing slash. This allows an attacker to manipulate the resourcePath parameter to redirect the request to a different server.

Because the request includes the Oppwa account's access token (API key), this manipulation can leak the token to an attacker-controlled server. With the leaked token, an attacker can access sensitive data in the payment provider's system. The issue is fixed by strictly validating the API URL to prevent such injection.

Impact Analysis

This vulnerability can lead to the leakage of your Oppwa API access token to an attacker. With this token, the attacker can gain unauthorized access to sensitive payment data stored by the payment provider.

Such unauthorized access can result in data breaches, exposing transaction details and potentially compromising customer payment information. This can lead to financial loss, reputational damage, and further exploitation of your payment system.

Mitigation Strategies

To mitigate this vulnerability, you should update your pretix installation to version 2026.5.3 or later, which includes the fix for this issue.

After installing the update, it is recommended to request a new access token from your payment provider and update it in pretix to prevent any potential token leakage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13603. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart