CVE-2026-5600

Name of the Vulnerable Software and Affected Versions pretix version 2025

Description A new API endpoint in pretix 2025 incorrectly returns all check-in events belonging to the organizer instead of the specific event. This allows an API consumer to access information for all events under the same organizer, even those they should not have access to. The records contain information on the time and result of every ticket scan, as well as the ID of the matched ticket. The API response includes details such as id, successful, error reason, position, datetime, list, created, auto checked in, gate, device, device id, and type.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the affected API endpoint.