PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9712 pretix CVE debrief

## Summary CVE-2026-9712 is a low-severity authorization bypass in pretix, an open-source ticketing software. An API endpoint for downloading export files failed to verify that the requested UUID corresponded to a file intended for download and belonged to the requesting user. This could allow an authenticated attacker with knowledge of a valid file UUID to access files they should not have permission to download. ## Technical Details The vulnerability exists in pretix's export functionality. When creating an export through the pretix API, clients receive a UUID for their export job. This UUID is then used to request the actual file download. While most endpoints properly validate that the UUID belongs to a downloadable file and the correct user, one API endpoint did not perform this verification. The issue is classified as CWE-639: Authorization Bypass Through User-Controlled Key. The CVSS 4.0 vector indicates network attack vector, low attack complexity, privileged access required (authenticated user), no user interaction needed, with high confidentiality impact to the vulnerable component. ## Exploitation Context Successful exploitation requires: 1. Valid authentication to the pretix API 2. Knowledge of a valid file UUID for a target file The pretix maintainers note that practical exploitation is difficult because an attacker would need to obtain a valid UUID for their target file, which is unlikely without a separate security issue (such as access to logs or other information disclosure). ## Affected Product - **Product**: pretix (open-source ticketing software) - **Vendor**: pretix (pretix.eu) The vulnerability was addressed in pretix release 2026.4.2. ## Timeline - **Published**: 2026-05-27T15:16:36.250Z - **Modified**: 2026-05-27T19:59:03.360Z ## Recommended Actions 1. **Upgrade**: Update pretix to version 2026.4.2 or later, which contains the fix for this vulnerability. 2. **Review Access Logs**: Check for any suspicious download requests using UUIDs that may indicate attempted or successful exploitation. 3. **Audit File Access**: Verify that sensitive export files have not been inappropriately accessed. 4. **Monitor for Information Disclos

Vendor
pretix
Product
Unknown
CVSS
LOW 3.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running pretix ticketing software, particularly those using the API export functionality and handling sensitive data in exports. Security teams responsible for pretix deployments should prioritize patching.

Technical summary

An API endpoint in pretix for downloading export files failed to verify that the requested UUID belonged to a file intended for download and the correct user. Authenticated attackers with knowledge of valid file UUIDs could potentially access unauthorized files. Fixed in pretix 2026.4.2.

Defensive priority

low

Recommended defensive actions

  • Upgrade pretix to version 2026.4.2 or later to obtain the fix for this authorization bypass vulnerability
  • Review access logs for suspicious download requests that may indicate exploitation attempts
  • Audit file access patterns to verify sensitive export files have not been inappropriately accessed
  • Monitor for information disclosure issues that could provide attackers with valid file UUIDs
  • Implement additional access controls and logging for sensitive export file downloads

Evidence notes

The vulnerability description and fix information are derived from the official pretix release blog post and NVD entry. The CVSS 4.0 vector and CWE classification are from NVD. The vendor identification as 'pretix' is based on the reference domain in the source material, though marked as requiring review due to the 'Unknown Vendor' classification in the source data.

Official resources

2026-05-27T15:16:36.250Z