Threat Advisory

Pretix Flaws Let Attackers Steal Sessions and Leak API Keys

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities affecting pretix versions All pretix builds since 4 have been identified in pretix, a popular open-source ticketing and event platform. The overall risk/impact is critical, as both bugs rate critical, so admins should patch now.

CVE-2026-13602 (CVSS 7.7 — Critical): A session takeover flaw links three weak spots, allowing an attacker with access to one event to get any data signed, which then unlocks session values and gives full admin access.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities affecting pretix versions All pretix builds since 4 have been identified in pretix, a popular open-source ticketing and event platform. The overall risk/impact is critical, as both bugs rate critical, so admins should patch now.

CVE-2026-13602 (CVSS 7.7 — Critical): A session takeover flaw links three weak spots, allowing an attacker with access to one event to get any data signed, which then unlocks session values and gives full admin access.[emaillocker id="1283"]

CVE-2026-13603 (CVSS 9 — Critical): An SSRF bug in the pretix-oppwa plugin leaks a payment provider’s API key when an attacker points a request at their own server. Each request carries the Oppwa API token, exposing data in the payment provider’s system.

These vulnerabilities collectively present a significant risk to administrators who have not patched yet.

RECOMMENDATION:

We recommend you to update pretix to version 2026.3.5, 2026.4.5, 2026.5.3.

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu