PT-2026-54632 · Unknown · Pretix-Oppwa
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-13603
CVSS v4.0
9.0
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
pretix-oppwa (affected versions not specified)
Description
An issue exists where the system improperly concatenates an unvalidated
resourcePath query parameter into the Oppwa API base URL when building outbound requests. This occurs because the system fetches the transaction status from a URL formed by combining the base URL and the resourcePath without sufficient validation. An attacker can manipulate the resourcePath parameter to redirect the server request to an arbitrary destination. Because the request includes the Oppwa account access token (API key), this can lead to the leakage of credentials and unauthorized access to sensitive payment data within the provider's system. This is a Server-Side Request Forgery (SSRF), which is a flaw that allows an attacker to induce the server-side application to make requests to an unintended location.Recommendations
Update to the patched release that implements strict API URL validation.
After installing the update, request a new access token from the payment provider and update it in the system.
Exploit
Fix
SSRF
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Pretix-Oppwa