Security release 2025.10.1 of pretix and pretix-offlinesales

An external reporter has made us aware of a security issue in pretix. We therefore just released versions 2025.10.1, 2025.9.3, and 2025.8.3 of pretix that fix this problem, as well as version 1.12.2 of the plugin pretix-offlinesales. It is strongly recommended that you update your installation as soon as possible, especially if you host pretix for third-party event organizers.

If you are a customer of our pretix Hosted service, the vulnerabilities are already fixed for you and you do not need to take action.

#1: Insecure direct object reference [MEDIUM]

CVE ID: CVE-2025-14881, CVE-2025-14882

When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places in pretix when temporary files are generated for internal use or download.

The API, however, wrongfully did not verify if the UUID used for download actually belongs to a file that is supposed to be downloadable and belongs to the correct user. In reality, this is hard to exploit because an attacker would need to have access to a valid UUID for the file they desire which is unlikely to happen without a separate security problem giving them access to logs etc.

Severity rating: Since the preconditions for a successful attack are quite unlikely in real-world usage, but it is still technically a bypass of the authentication system, we assess the severity as medium.

Affected versions: All currently supported versions of pretix prior to 2025.10.1 (except the fixed versions listed below) are affected.

Affected plugins: This also affects the pretix Enterprise plugin pretix-offlinesales starting from version 1.12.0. We release version 1.12.1 with the fix.

This issue has been reported by Deniz Parlak.

Fixed versions

We just released updates for the last three stable versions on PyPI that fix the problem. If you run a pretix installation older than 2025.8, please upgrade to a recent version now.

• 2025.10.1
• 2025.9.3
• 2025.8.3

The new docker images will appear on Docker Hub over the next few hours.

We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bug fixes, even if they are not security related.

If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on Mastodon.

We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at security@pretix.eu. We will always treat your message with the appropriate priority.