Insecure direct object reference_CVE-2026-9712

3.8 / 10

LOW

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U

Description

When creating an export through the pretix API, API clients are
returned an UUID value for their export job (a long, random string like
35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client
can then request the actual file for download. The same kind of UUID is
used in other places in pretix when temporary files are generated for
internal use or download.

One remaining API endpoint, however, wrongfully did not verify if the
UUID used for download actually belongs to a file that is supposed to
be downloadable and belongs to the correct user. In reality, this is
hard to exploit because an attacker would need to have access to a valid
UUID for the file they desire which is unlikely to happen without a
separate security problem giving them access to logs etc.

Basic Information

ID CVE-2026-9712

Source rami.io

Published May 27, 2026 at 14:35

Affected Product

Vendor pretix

Product pretix

Version 2024.10.0

Affected Versions pretix pretix 2024.10.0
pretix pretix 2026.2.0
pretix pretix 2026.3.0
pretix pretix 2026.4.0

CWE Classification

CWE-639

References

pretix.eu /about/en/blog/20260527-release-2026-4-2/

{
    "lastseen": "",
    "description": "When creating an export through the pretix API, API clients are \nreturned an UUID value for their export job (a long, random string like \n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \ncan then request the actual file for download. The same kind of UUID is \nused in other places in pretix when temporary files are generated for \ninternal use or download.\n\n\n\n\nOne remaining API endpoint, however, wrongfully did not verify if the\n UUID used for download actually belongs to a file that is supposed to \nbe downloadable and belongs to the correct user. In reality, this is \nhard to exploit because an attacker would need to have access to a valid\n UUID for the file they desire which is unlikely to happen without a \nseparate security problem giving them access to logs etc.",
    "published": "2026-05-27T14:35:58.857Z",
    "modified": "2026-05-27T14:35:58.857Z",
    "type": "cve",
    "title": "Insecure direct object reference",
    "source": "rami.io",
    "references": "https://pretix.eu/about/en/blog/20260527-release-2026-4-2/",
    "id": "CVE-2026-9712",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "pretix pretix 2024.10.0\npretix pretix 2026.2.0\npretix pretix 2026.3.0\npretix pretix 2026.4.0",
    "sourceHref": "",
    "cvss": {
        "score": 3.8,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "pretix",
    "version": "2024.10.0",
    "vendor": "pretix",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}