Auth bypass in Pretix Venueless

CVE-2026-13350

Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create.

Vulnerability class: IDOR (Insecure Direct Object Reference)

Affected products

Pretix Venueless — versions 0.0.0

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

655498c3-6ec5-4f0b-aea6-853b334d05a6