CVE-2026-9712

EUVD-2026-32530

27.05.2026, 15:16

When creating an export through the pretix API, API clients are
returned an UUID value for their export job (a long, random string like
35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client
can then request the actual file for download. The same kind of UUID is
used in other places in pretix when temporary files are generated for
internal use or download.

One remaining API endpoint, however, wrongfully did not verify if the
UUID used for download actually belongs to a file that is supposed to
be downloadable and belongs to the correct user. In reality, this is
hard to exploit because an attacker would need to have access to a valid
UUID for the file they desire which is unlikely to happen without a
separate security problem giving them access to logs etc.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
rami.io	CNA	3.8 LOW	NETWORK	LOW	LOW	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
pretix	pretix	2024.10.0 ≤ 𝑥 < 2026.2.0	CNA
pretix	pretix	2026.2.0 ≤ 𝑥 < 2026.3.0	CNA
pretix	pretix	2026.3.0 ≤ 𝑥 < 2026.4.0	CNA
pretix	pretix	2026.4.0 ≤ 𝑥 < 2026.5.0	CNA

Common Weakness Enumeration

CWE-639 - Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References

https://pretix.eu/about/en/blog/20260527-release-2026-4-2/