CVE-2026-9712 (GCVE-0-2026-9712)
Vulnerability from cvelistv5 – Published: 2026-05-27 14:35 – Updated: 2026-05-28 15:39
VLAI
Title
Insecure direct object reference
Summary
When creating an export through the pretix API, API clients are
returned an UUID value for their export job (a long, random string like
35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client
can then request the actual file for download. The same kind of UUID is
used in other places in pretix when temporary files are generated for
internal use or download.
One remaining API endpoint, however, wrongfully did not verify if the
UUID used for download actually belongs to a file that is supposed to
be downloadable and belongs to the correct user. In reality, this is
hard to exploit because an attacker would need to have access to a valid
UUID for the file they desire which is unlikely to happen without a
separate security problem giving them access to logs etc.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20260527-release-… | vendor-advisory |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T15:39:22.313424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:39:28.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.2.0",
"status": "affected",
"version": "2024.10.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.2.2",
"status": "unaffected"
}
],
"lessThan": "2026.3.0",
"status": "affected",
"version": "2026.2.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.3.2",
"status": "unaffected"
}
],
"lessThan": "2026.4.0",
"status": "affected",
"version": "2026.3.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.4.2",
"status": "unaffected"
}
],
"lessThan": "2026.5.0",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Deepjyoti Roy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWhen creating an export through the pretix API, API clients are \nreturned an UUID value for their export job (a long, random string like \n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \ncan then request the actual file for download. The same kind of UUID is \nused in other places in pretix when temporary files are generated for \ninternal use or download.\u003c/p\u003e\n\u003cp\u003eOne remaining API endpoint, however, wrongfully did not verify if the\n UUID used for download actually belongs to a file that is supposed to \nbe downloadable and belongs to the correct user. In reality, this is \nhard to exploit because an attacker would need to have access to a valid\n UUID for the file they desire which is unlikely to happen without a \nseparate security problem giving them access to logs etc.\u003c/p\u003e"
}
],
"value": "When creating an export through the pretix API, API clients are \nreturned an UUID value for their export job (a long, random string like \n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \ncan then request the actual file for download. The same kind of UUID is \nused in other places in pretix when temporary files are generated for \ninternal use or download.\n\n\n\n\nOne remaining API endpoint, however, wrongfully did not verify if the\n UUID used for download actually belongs to a file that is supposed to \nbe downloadable and belongs to the correct user. In reality, this is \nhard to exploit because an attacker would need to have access to a valid\n UUID for the file they desire which is unlikely to happen without a \nseparate security problem giving them access to logs etc."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 3.8,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T14:35:58.857Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260527-release-2026-4-2/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insecure direct object reference",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-9712",
"datePublished": "2026-05-27T14:35:58.857Z",
"dateReserved": "2026-05-27T14:18:33.470Z",
"dateUpdated": "2026-05-28T15:39:28.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-9712",
"date": "2026-05-31",
"epss": "0.00038",
"percentile": "0.11861"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-9712\",\"sourceIdentifier\":\"655498c3-6ec5-4f0b-aea6-853b334d05a6\",\"published\":\"2026-05-27T15:16:36.250\",\"lastModified\":\"2026-05-27T19:59:03.360\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When creating an export through the pretix API, API clients are \\nreturned an UUID value for their export job (a long, random string like \\n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \\ncan then request the actual file for download. The same kind of UUID is \\nused in other places in pretix when temporary files are generated for \\ninternal use or download.\\n\\n\\n\\n\\nOne remaining API endpoint, however, wrongfully did not verify if the\\n UUID used for download actually belongs to a file that is supposed to \\nbe downloadable and belongs to the correct user. In reality, this is \\nhard to exploit because an attacker would need to have access to a valid\\n UUID for the file they desire which is unlikely to happen without a \\nseparate security problem giving them access to logs etc.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"655498c3-6ec5-4f0b-aea6-853b334d05a6\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":3.8,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"655498c3-6ec5-4f0b-aea6-853b334d05a6\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"references\":[{\"url\":\"https://pretix.eu/about/en/blog/20260527-release-2026-4-2/\",\"source\":\"655498c3-6ec5-4f0b-aea6-853b334d05a6\"}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"655498c3-6ec5-4f0b-aea6-853b334d05a6\", \"shortName\": \"rami.io\", \"dateUpdated\": \"2026-05-27T14:35:58.857Z\"}, \"title\": \"Insecure direct object reference\", \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639 Authorization Bypass Through User-Controlled Key\", \"type\": \"CWE\"}]}], \"affected\": [{\"vendor\": \"pretix\", \"product\": \"pretix\", \"collectionURL\": \"https://pypi.org/\", \"packageName\": \"pretix\", \"repo\": \"https://github.com/pretix/pretix\", \"versions\": [{\"status\": \"affected\", \"version\": \"2024.10.0\", \"lessThan\": \"2026.2.0\", \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"2026.2.0\", \"lessThan\": \"2026.3.0\", \"changes\": [{\"at\": \"2026.2.2\", \"status\": \"unaffected\"}], \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"2026.3.0\", \"lessThan\": \"2026.4.0\", \"changes\": [{\"at\": \"2026.3.2\", \"status\": \"unaffected\"}], \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"2026.4.0\", \"lessThan\": \"2026.5.0\", \"changes\": [{\"at\": \"2026.4.2\", \"status\": \"unaffected\"}], \"versionType\": \"python\"}], \"defaultStatus\": \"unaffected\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"When creating an export through the pretix API, API clients are \\nreturned an UUID value for their export job (a long, random string like \\n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \\ncan then request the actual file for download. The same kind of UUID is \\nused in other places in pretix when temporary files are generated for \\ninternal use or download.\\n\\n\\n\\n\\nOne remaining API endpoint, however, wrongfully did not verify if the\\n UUID used for download actually belongs to a file that is supposed to \\nbe downloadable and belongs to the correct user. In reality, this is \\nhard to exploit because an attacker would need to have access to a valid\\n UUID for the file they desire which is unlikely to happen without a \\nseparate security problem giving them access to logs etc.\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"\u003cp\u003eWhen creating an export through the pretix API, API clients are \\nreturned an UUID value for their export job (a long, random string like \\n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \\ncan then request the actual file for download. The same kind of UUID is \\nused in other places in pretix when temporary files are generated for \\ninternal use or download.\u003c/p\u003e\\n\u003cp\u003eOne remaining API endpoint, however, wrongfully did not verify if the\\n UUID used for download actually belongs to a file that is supposed to \\nbe downloadable and belongs to the correct user. In reality, this is \\nhard to exploit because an attacker would need to have access to a valid\\n UUID for the file they desire which is unlikely to happen without a \\nseparate security problem giving them access to logs etc.\u003c/p\u003e\"}]}], \"references\": [{\"url\": \"https://pretix.eu/about/en/blog/20260527-release-2026-4-2/\", \"tags\": [\"vendor-advisory\"]}], \"metrics\": [{\"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}], \"cvssV4_0\": {\"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"exploitMaturity\": \"UNREPORTED\", \"Safety\": \"NOT_DEFINED\", \"Automatable\": \"NOT_DEFINED\", \"Recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"version\": \"4.0\", \"baseSeverity\": \"LOW\", \"baseScore\": 3.8, \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U\"}}], \"credits\": [{\"lang\": \"en\", \"value\": \"Deepjyoti Roy\", \"type\": \"finder\"}], \"source\": {\"discovery\": \"EXTERNAL\"}, \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-9712\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-28T15:39:22.313424Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-28T15:39:25.263Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-9712\", \"assignerOrgId\": \"655498c3-6ec5-4f0b-aea6-853b334d05a6\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"rami.io\", \"dateReserved\": \"2026-05-27T14:18:33.470Z\", \"datePublished\": \"2026-05-27T14:35:58.857Z\", \"dateUpdated\": \"2026-05-28T15:39:28.686Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…