CVE-2026-11764

Summary

When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.

Affected Software

VendorProductVersion RangeStatus
pretixpretix2024.1.0 < 2026.3.0affected
pretixpretix2026.3.0 < 2026.4.0affected
pretixpretix2026.4.0 < 2026.5.0affected
pretixpretix2026.5.0 < 2026.6.0affected

Weaknesses

  • CWE-280: CWE-280 Improper handling of insufficient permissions or privileges

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References