Security release 2026.5.1 of pretix
An external reporter has made us aware of a security issue in pretix. We therefore just released versions 2026.5.1, 2026.4.3, and 2026.3.3 of pretix that fix this problem. It is strongly recommended that you update your installation as soon as possible.
If you are a customer of our pretix Hosted service, the vulnerabilities are already fixed for you and you do not need to take action.
#1: Data exposed without proper permission [LOW]
CVE ID: CVE-2026-11764
When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.
Please note that we will not treat every issue of this type as a security issue. pretix is a powerful system, and that power is mostly in the connection between different features. Isolating system parts through permissions fully will make the system much less useful. For example, a user with read access to orders is also able to see the gift card secret of the gift card that was used to pay for that order, even if they do not have general permission to view gift cards. This is intentional behavior that we plan to keep. We are treating this case as a security issue due to the mismatch between user interface, API and export that makes the permission boundary hard to test and understand.
Severity rating: Since the situation of access to all reusable media but not to gift cards is a highly unlikely permission setup in real-world usage and requires a high level of permissions to exploit, but it is still technically a bypass of the permission system, we assess the severity as low.
Affected versions: All currently supported versions of between 2024.1.0 and 2026.5.0 (except the fixed versions listed below) are affected.
Compatibility note: The feature required to fix this properly only appeared in 2026.4. Therefore, the backport to 2026.3 will stay on the safe side and disable full gift card info in the export for all users. Upgrade to 2026.4.3 or 2026.5.1 for a proper fix.
This issue has been reported by Mr. JDH.
Fixed versions
We just released updates for the last three stable versions on PyPI that fix the problem. If you run a pretix installation older than 2026.3, please upgrade to a recent version now.
The new docker images will appear on Docker Hub over the next few hours.
We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bug fixes, even if they are not security related.
If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on Mastodon.
We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at security@pretix.eu. We will always treat your message with the appropriate priority.
