Multiple security vulnerabilities affecting pretix versions All pretix builds since 4 have been identified in pretix, a popular open-source ticketing and event platform. The overall risk/impact is critical, as both bugs rate critical, so admins should patch now.
CVE-2026-13602 (CVSS 7.7 — Critical): A session takeover flaw links three weak spots, allowing an attacker with access to one event to get any data signed, which then unlocks session values and gives full admin access.[/subscribe_to_unlock_form]
Multiple security vulnerabilities affecting pretix versions All pretix builds since 4 have been identified in pretix, a popular open-source ticketing and event platform. The overall risk/impact is critical, as both bugs rate critical, so admins should patch now.
CVE-2026-13602 (CVSS 7.7 — Critical): A session takeover flaw links three weak spots, allowing an attacker with access to one event to get any data signed, which then unlocks session values and gives full admin access.[emaillocker id="1283"]
CVE-2026-13603 (CVSS 9 — Critical): An SSRF bug in the pretix-oppwa plugin leaks a payment provider’s API key when an attacker points a request at their own server. Each request carries the Oppwa API token, exposing data in the payment provider’s system.
These vulnerabilities collectively present a significant risk to administrators who have not patched yet.
We recommend you to update pretix to version 2026.3.5, 2026.4.5, 2026.5.3.
The following reports contain further technical details:
[/emaillocker]