pretix

Security release 2026.3.1 of pretix

April 8, 2026

We have recently been made aware of a security issue inside pretix. We therefore just released versions 2026.3.1, 2026.2.1, and 2026.1.2 of pretix that fix this problem. It is strongly recommended that you update your installation as soon as possible, especially if you host pretix for third-party event organizers.

If you are a customer of our pretix Hosted service, the vulnerabilities are already fixed for you and you do not need to take action.

#1: API leaks check-in data between events of the same organizer [MEDIUM]

CVE ID: CVE-2026-5600

A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those they should not have access to.

These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:

{
  "id": 123,
  "successful": true,
  "error_reason": null,
  "error_explanation": null,
  "position": 321,
  "datetime": "2020-08-23T09:00:00+02:00",
  "list": 456,
  "created": "2020-08-23T09:00:00+02:00",
  "auto_checked_in": false,
  "gate": null,
  "device": 1,
  "device_id": 1,
  "type": "entry"
}

An unauthorized user usually has no way to match these IDs (position) back to individual people.

Severity rating: Since this bug only affects data isolation within the same organizer account and the data that can be obtained does not directly contain personal information, we consider the severity to be medium.

Affected versions: All currently supported versions of pretix after 2026.10.0 and prior to 2026.3.1 (except the fixed versions listed below) are affected.

Credit: This issue was discovered by Pratik Karan. Thanks for reporting!

Fixed versions

We just released updates for the last three stable versions on PyPI that fix problem #1. If you run a pretix installation older than 2026.1, please upgrade to a recent version now.

The new docker images will appear on Docker Hub over the next few hours.

We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bug fixes, even if they are not security related.

If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on Mastodon.

We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at security@pretix.eu. We will always treat your message with the appropriate priority.

Raphael Michel

Raphael is the founder and CEO of pretix, who also leads our development team. He is passionate about user-friendly, elegant software, and when he's not busy building software for conference organizers, he enjoys co-organizing con​fer​en​ces himself.

Read more blog posts

Any questions?
support@pretix.eu
+49 6221 32177-50 Mo-Fr 09:00-17:00 Uhr