Live Active security incident? Get immediate response
CVE Record

CVE-2026-9712: Insecure direct object reference

When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places in pretix when temporary files are generated for internal use or download. One remaining API endpoint, however, wrongfully did not verify if the UUID used for download actually belongs to a file that is supposed to be downloadable and belongs to the correct user. In reality, this is hard to exploit because an attacker would need to have access to a valid UUID for the file they desire which is unlikely to happen without a separate security problem giving them access to logs etc.

LowCVSS 3.8Not KEV-listed Updated
Discuss exposure Back to CVEs
Glexia's Take low

Analyst readout for executives and security teams

Plain-English summary

pretix had an access-control mistake in one API download endpoint. A logged-in API user with a valid temporary file UUID could potentially download a file that was not meant for them. The sources describe exploitation as difficult because the attacker would need the target UUID from another weakness, such as exposed logs.

Executive priority

Treat as a low-priority but legitimate confidentiality issue. Schedule remediation in the normal patch cycle, sooner if pretix handles sensitive attendee, ticketing, or financial exports, or if logs are broadly accessible across teams or vendors.

Technical view

CVE-2026-9712 is a CWE-639 insecure direct object reference in pretix temporary file downloads. One API endpoint failed to verify that the UUID referred to a downloadable file owned by the requesting user. The issue affects listed pretix versions 2024.10.0, 2026.2.0, 2026.3.0, and 2026.4.0.

Likely exposure

Exposure is limited to organizations running the affected pretix versions with API clients or users able to request temporary file downloads. Risk increases if temporary file UUIDs appear in accessible logs, monitoring systems, support tickets, or other places available to unauthorized users.

Exploitation context

The provided sources do not report active exploitation, and this CVE is not listed as KEV. The CVSS vector marks exploitation as unreported. Practical exploitation requires a valid UUID for the desired file, which the vendor description says is unlikely without a separate security problem.

Researcher notes

The key control failure is missing ownership/downloadability validation for UUID-addressed temporary files. Evidence does not support broad anonymous exposure or confirmed exploitation. Testing should focus on authorization boundaries and log exposure, without assuming UUID guessing is practical.

Mitigation direction

  • Identify whether pretix runs version 2024.10.0, 2026.2.0, 2026.3.0, or 2026.4.0.
  • Review the pretix 2026.4.2 release advisory and apply vendor guidance.
  • Limit pretix API access to trusted users and integrations.
  • Protect logs and monitoring data that may contain temporary file UUIDs.
  • Review support workflows for accidental sharing of export or temporary file identifiers.

Validation and detection

  • Inventory deployed pretix versions across production, staging, and hosted environments.
  • Confirm whether affected API download endpoints are reachable by API clients.
  • Review access logs for unusual temporary file download requests.
  • Check log stores for exposed UUID values tied to exports or temporary files.
  • Verify remediation against the vendor advisory after updating.
Prepared
Confidence
medium
Sources
3

Public sources used

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-639: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-9712 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profile CVE Program record
Severity
Low
CVSS
3.8 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1 CVSS vectors
3 Timeline events
0 ADP providers
2 Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

Score Version Severity Vector Exploit Impact Source
3.8 CVSS 4.0 Low CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U rami.io

Vulnerability scoring details

Base CVSS 4.0 score

3.8 Low
CVSS 4.0 vector shape for CVE-2026-9712 Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reserved CVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE published CVE Program

    The CVE record was published.

  3. CVE updated CVE Program

    The CVE record metadata indicates this as the latest update time.

Source materials

Affected products

Products and packages named in the record

Vendor Product Version / package Status
pretix pretix pretix, 2024.10.0, 2026.2.0, 2026.3.0, 2026.4.0 unaffected
Weakness

CWE details

CWE-639

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-639 · source CWE mapping

CWE mapping pending import

This CVE carries a CWE mapping that will resolve to a full Glexia CWE intelligence page after the official CWE import is complete.

Open CWE intelligence Same-CWE CVEs