Primary

Context

Pretix API Check-In Data Exposure Vulnerability

Vulnerability

Patched

A vulnerability in the Pretix API introduced in version 2025 allows unauthorized access to check-in events across all events of the same organizer. Instead of limiting the data to a specific event, the endpoint exposes check-in information for all events under the organizer's account, including details such as ticket scan times, results, and ticket IDs. This issue could lead to unauthorized data access, especially for organizers hosting third-party events.

Impact

Exploitation of this vulnerability could result in unauthorized access to check-in data from multiple events under the same organizer, potentially allowing API consumers to piece together information about ticket holders, despite the absence of direct personal identifiers.

Remediation

Users are advised to update to Pretix versions 2026.3.1, 2026.2.1, or 2026.1.2, all of which include the necessary fix. For those using the Pretix Hosted service, the vulnerability has already been addressed.

Added: Apr 8, 2026, 2:14 PM

Updated: Apr 8, 2026, 2:14 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

5.4

remediation

7.7

relevance

5.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

5.4

remediation

7.7

relevance

5.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Pretix API Check-In Data Exposure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

pretix

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating