Auth bypass in Pretix

CVE-2026-9712

When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual f…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (13.5th percentile) — read the EPSS interpretation.

Affected products

Pretix — versions 2024.10.0, 2026.2.0, 2026.3.0

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

655498c3-6ec5-4f0b-aea6-853b334d05a6 (vendor-advisory)