CVE-2026-11764

EUVD-2026-35407
When creating an export of all reusable media, the secrets of connected 
gift cards were included in the export even if the user creating the 
export does not have permission to view gift cards. This is inconsistent
 with the UI and API where only the first letters of the gift card 
secret are shown. Therefore, it allows circumventing a permission 
boundary.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
rami.ioCNA
3.6 LOW
NETWORK
LOW
HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
pretixpretix
2024.1.0 ≤
𝑥
< 2026.3.0
CNA
pretixpretix
2026.3.0 ≤
𝑥
< 2026.4.0
CNA
pretixpretix
2026.4.0 ≤
𝑥
< 2026.5.0
CNA
pretixpretix
2026.5.0 ≤
𝑥
< 2026.6.0
CNA
Common Weakness Enumeration
References
https://pretix.eu/about/en/blog/20260609-release-2026-5-1/