PT-2026-54632 · Unknown · Pretix-Oppwa

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-13603

CVSS v4.0

9.0

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions pretix-oppwa (affected versions not specified)
Description An issue exists where the system improperly concatenates an unvalidated resourcePath query parameter into the Oppwa API base URL when building outbound requests. This occurs because the system fetches the transaction status from a URL formed by combining the base URL and the resourcePath without sufficient validation. An attacker can manipulate the resourcePath parameter to redirect the server request to an arbitrary destination. Because the request includes the Oppwa account access token (API key), this can lead to the leakage of credentials and unauthorized access to sensitive payment data within the provider's system. This is a Server-Side Request Forgery (SSRF), which is a flaw that allows an attacker to induce the server-side application to make requests to an unintended location.
Recommendations Update to the patched release that implements strict API URL validation. After installing the update, request a new access token from the payment provider and update it in the system.

Exploit

Fix

SSRF

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-13603

Affected Products

Pretix-Oppwa