CVE-2026-5600 Overview
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This authorization bypass vulnerability allows an API consumer to access information for all other events under the same organizer, even those they should not have access to.
The exposed records contain information on the time and result of every ticket scan as well as the ID of the matched ticket, including fields such as id, successful, error_reason, position, datetime, list, device, and type.
Critical Impact
API consumers can access check-in data across all events under an organizer, potentially exposing sensitive event attendance information and ticket scan records beyond their authorized scope.
Affected Products
- Pretix 2025.x versions prior to 2026.3.1
- Pretix installations using the affected check-in events API endpoint
Discovery Timeline
- April 8, 2026 - CVE-2026-5600 published to NVD
- April 8, 2026 - Last updated in NVD database
Technical Details for CVE-2026-5600
Vulnerability Analysis
This vulnerability is classified under CWE-653 (Improper Isolation or Compartmentalization) and represents a broken access control flaw in the pretix event ticketing platform. The affected API endpoint fails to properly scope its data retrieval query to the specific event the API consumer has access to, instead returning check-in records across all events belonging to the same organizer.
The vulnerability requires network access and high privileges (an authenticated API consumer), but allows unauthorized access to data from events outside the consumer's permission scope. While an unauthorized user typically cannot match the returned position IDs back to individual people without additional context, the exposure of check-in metadata (timestamps, success/failure status, device information) across multiple events represents a significant information disclosure concern for organizations hosting multiple events under a single organizer account.
Root Cause
The root cause stems from improper isolation in the API query logic. When the check-in events endpoint was introduced, the data retrieval function failed to properly filter results by the specific event ID the API consumer was authorized to access. Instead, the query scope was incorrectly set to the organizer level, returning all check-in records associated with any event under that organizer.
Attack Vector
An attacker with legitimate API access to one event under an organizer can exploit this vulnerability by simply querying the affected check-in events endpoint. The API will return check-in data for all events belonging to that organizer, regardless of the attacker's actual access permissions. This is a network-based attack that requires authenticated API access but no user interaction.
The vulnerability exposes JSON records containing check-in metadata such as timestamps, success status, ticket position IDs, check-in list references, and device identifiers for events the attacker should not have access to.
Detection Methods for CVE-2026-5600
Indicators of Compromise
- Unusual API query patterns to check-in event endpoints with responses containing data from multiple events
- API access logs showing single authenticated users retrieving disproportionately large check-in datasets
- Requests to check-in endpoints returning event IDs that don't match the authorized event scope
Detection Strategies
- Monitor API access logs for check-in endpoint queries that return data volumes inconsistent with single-event access
- Implement alerting on API responses containing records with event references outside the requesting user's authorized scope
- Audit API token permissions and compare against actual data access patterns
Monitoring Recommendations
- Enable detailed logging for all check-in API endpoint requests including response sizes and event IDs returned
- Implement rate limiting and anomaly detection on check-in data retrieval endpoints
- Regularly audit API consumer access patterns against their authorized event scopes
How to Mitigate CVE-2026-5600
Immediate Actions Required
- Upgrade pretix installations to version 2026.3.1 or later immediately
- Audit API access logs to identify any potential unauthorized data access prior to patching
- Review and restrict API token permissions to minimum necessary scope
- Notify affected organizers if unauthorized cross-event data access is detected
Patch Information
Pretix has released version 2026.3.1 which addresses this vulnerability. Organizations running affected versions should update immediately. For more details, see the Pretix Blog Release Announcement.
Workarounds
- Temporarily disable or restrict access to the affected check-in events API endpoint until patching is complete
- Implement additional API gateway filtering to validate event scope in check-in endpoint responses
- Use separate organizer accounts for events requiring strict data isolation between API consumers
# Configuration example
# Upgrade pretix to patched version
pip install --upgrade pretix>=2026.3.1
# Verify installed version
pretix --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
