CVE-2026-11764

UNKNOWN 0.0

Data exposed without proper permission

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.

CWE	CWE-280
Vendor	pretix
Product	pretix
Published	Jun 9, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for pretix pretix

Be the first to know when new unknown vulnerabilities affecting pretix pretix are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

pretix / pretix

2024.1.0 < 2026.3.0 2026.3.0 < 2026.4.0 2026.4.0 < 2026.5.0 2026.5.0 < 2026.6.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

pretix.eu: https://pretix.eu/about/en/blog/20260609-release-2026-5-1/

Credits

Mr. JDH