CVE-2026-5600
published 2026-04-08CVE-2026-5600: A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging…
PriorityP423medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.26%
16.8th percentile
A new API endpoint introduced in pretix 2025 that is supposed to
return all check-in events of a specific event in fact returns all
check-in events belonging to the respective organizer. This allows an
API consumer to access information for all other events under the same
organizer, even those they should not have access to.
These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:
{
"id": 123,
"successful": true,
"error_reason": null,
"error_explanation": null,
"position": 321,
"datetime": "2020-08-23T09:00:00+02:00",
"list": 456,
"created": "2020-08-23T09:00:00+02:00",
"auto_checked_in": false,
"gate": null,
"device": 1,
"device_id": 1,
"type": "entry"
}
An unauthorized user usually has no way to match these IDs (position) back to individual people.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pretix | pretix | >= 0 < 2026.1.2 | 2026.1.2 |
| pretix | pretix | >= 2025.10.0 < 2026.1.2 | 2026.1.2 |
| pretix | pretix | >= 2026.2.0 < 2026.2.1 | 2026.2.1 |
| pretix | pretix | >= 2026.2.0 < 2026.2.1 | 2026.2.1 |
| pretix | pretix | >= 2026.3.0 < 2026.3.1 | 2026.3.1 |
| pretix | pretix | >= 2026.3.0 < 2026.3.1 | 2026.3.1 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
pretix: API leaks check-in data between events of the same organizer
osv·2026-04-08
CVE-2026-5600 [MEDIUM] pretix: API leaks check-in data between events of the same organizer
pretix: API leaks check-in data between events of the same organizer
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those they should not have access to.
These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:
{
"id": 123,
"successful": true,
"error_reason": null,
"error_explanation": null,
"position": 321,
"datetime": "2020-08-23T09:00:00+02:00",
"list": 456,
"created": "2020-08-23T09:00:00+02:00",
"auto_checked_in": false,
"gate": null,
"device": 1,
"device_id": 1,
"type": "en
GHSA
pretix: API leaks check-in data between events of the same organizer
ghsa·2026-04-08
CVE-2026-5600 [MEDIUM] CWE-653 pretix: API leaks check-in data between events of the same organizer
pretix: API leaks check-in data between events of the same organizer
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those they should not have access to.
These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:
{
"id": 123,
"successful": true,
"error_reason": null,
"error_explanation": null,
"position": 321,
"datetime": "2020-08-23T09:00:00+02:00",
"list": 456,
"created": "2020-08-23T09:00:00+02:00",
"auto_checked_in": false,
"gate": null,
"device": 1,
"device_id": 1,
"type": "en
Red Hat
kernel: netfilter: conntrack: add missing netlink policy validations
vendor_redhat·2026-04-06·CVSS 5.5
CVE-2026-31407 [MEDIUM] CWE-125 kernel: netfilter: conntrack: add missing netlink policy validations
kernel: netfilter: conntrack: add missing netlink policy validations
In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: add missing netlink policy validations
Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.
These attributes are used by the kernel without any validation.
Extend the netlink policies accordingly.
Quoting the reporter:
nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE
value directly to ct->proto.sctp.state without checking that it is
within the valid range. [..]
and: ... with exp->dir = 100, the access at
ct->master->tuplehash[100] reads 5600 bytes past the start of a
320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by
UBSAN.
A flaw was found in the Linux kernel's netfilter conntrack
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-5600 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-5600 [MEDIUM] CVE-2026-5600 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5600 :
Python vulnerability analysis and mitigation
A new API endpoint introduced in pretix 2025 that is supposed to
return all check-in events of a specific event in fact returns all
check-in events belonging to the respective organizer. This allows an
API consumer to access information for all other events under the same
organizer, even those they should not have access to.
These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:
{
"id": 123,
"successful": true,
"error_reason": null,
"error_explanation": null,
"position": 321,
"datetime": "2020-08-23T09:00:00+02:00",
"list": 456,
"created": "2020-08-23T09:00:00+02:00",
"auto_checked_in": false,
"gate": null,
"device": 1,
"device_id": 1,
"type": "entry"
Bugzilla
CVE-2026-31407 kernel: netfilter: conntrack: add missing netlink policy validations
bugzilla·2026-04-06
CVE-2026-31407 [MEDIUM] CVE-2026-31407 kernel: netfilter: conntrack: add missing netlink policy validations
CVE-2026-31407 kernel: netfilter: conntrack: add missing netlink policy validations
In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: add missing netlink policy validations
Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.
These attributes are used by the kernel without any validation.
Extend the netlink policies accordingly.
Quoting the reporter:
nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE
value directly to ct->proto.sctp.state without checking that it is
within the valid range. [..]
and: ... with exp->dir = 100, the access at
ct->master->tuplehash[100] reads 5600 bytes past the start of a
320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by
UBSAN.
Discussion:
Upstream advisory:
https:
2026-04-08
Published