CVE-2026-9712

UNKNOWN 0.0

Insecure direct object reference

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

12th

When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places in pretix when temporary files are generated for internal use or download. One remaining API endpoint, however, wrongfully did not verify if the UUID used for download actually belongs to a file that is supposed to be downloadable and belongs to the correct user. In reality, this is hard to exploit because an attacker would need to have access to a valid UUID for the file they desire which is unlikely to happen without a separate security problem giving them access to logs etc.

CWE	CWE-639
Vendor	pretix
Product	pretix
Published	May 27, 2026
Last Updated	May 28, 2026

Stay Ahead of the Next One

Get instant alerts for pretix pretix

Be the first to know when new unknown vulnerabilities affecting pretix pretix are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

pretix / pretix

2024.10.0 < 2026.2.0 2026.2.0 < 2026.3.0 2026.3.0 < 2026.4.0 2026.4.0 < 2026.5.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

pretix.eu: https://pretix.eu/about/en/blog/20260527-release-2026-4-2/

Credits

Deepjyoti Roy