- Product: pretix (2 products)
- Vulnerabilities: 2 flaws (CVE-2026-13602, CVE-2026-13603)
- Highest severity: 9 (Critical · CVSSv4)
- Worst impact: SSRF with API key leak in
- Status: No confirmed exploitation yet; patches available
- Action: Update to 2026.3.5, 2026.4.5, 2026.5.3, 2.5.7 (+6) now
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-13603 | 9 | SSRF with API key leak in | 1.4.4 | Not exploited |
| CVE-2026-13602 | 7.7 | Session takeover | 2026.3.5, 2026.4.5, 2026.5.3 (+7) | Not exploited |
The pretix team shipped version 2026.5.3 to fix two critical flaws. The update also covers 2026.4.5 and 2026.3.5.post1, plus several payment plugins. Both bugs rate critical, so admins should patch now.
Why These pretix Vulnerabilities Matter
pretix is a popular open-source ticketing and event platform. Many groups run it to sell tickets and take payments. As a result, a backend breach can expose attendee data and payment secrets.
The first flaw could hand an attacker any backend account. A second bug could leak a payment provider’s API key. Both earn a critical rating.
pretix found these bugs in an internal review. Hosted customers are already patched. They need no action.
How the Attacks Work
CVE-2026-13602: Session Takeover Chain
This session takeover flaw links three weak spots. First, payment plugins pass signed session data through a URL. The plugins checked the signature only. They never checked the scope of that data.
Next, a redirect tool reused the same signing key and salt. So an attacker with access to one event could get any data signed. That signed data then unlocked session values.
A third tool lets admins act as another user for debugging. An attacker could abuse it to switch users by guessing a valid ID. Chained together, these steps gave full admin access.
CVE-2026-13603: SSRF and API Key Leak
The pretix-oppwa plugin builds a status URL from a user value called resourcePath. It joined that value to the base domain with no trailing slash and no checks. So an attacker could point the request at their own server.
Each request carries the Oppwa API token. As a result, that token leaks to the attacker. The stolen key then exposes data in the payment provider’s system. To spot abuse, scan your access logs for resourcePath= that lacks a trailing slash or %2F.
Exploitation Status
pretix found strong signs the session takeover chain was never used in an attack. No public proof-of-concept exists for either bug. Still, the critical impact makes fast patching wise.
Affected Versions
All pretix builds since 4.14 carry the session takeover chain. Older installs may qualify too, if they added the listed plugins after October 2022. Every released pretix-oppwa version carries the SSRF bug.
Patch and Mitigation
Fixes for both pretix vulnerabilities ship in 2026.5.3, 2026.4.5, and 2026.3.5.post1. Update to one of these builds right away. Seven plugins received fixes, so review each one you run. Also update the patched plugins, such as pretix-oppwa 1.4.4. After that, ask your payment provider for a fresh API token.
Cannot update yet? Block the /control/users/impersonate/stop URL at your webserver as a stopgap. For the full details, read the official pretix 2026.5.3 release notes.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.