Security release 2026.5.3 of pretix and multiple plugins
After the recent increase in reported security issues by researches, we have intensified our own efforts to search for possible security issues in our code base. During this search, we have discovered two issues of critical severity.
We therefore just released versions 2026.5.3, 2026.4.5, and 2026.3.5 of pretix as well as updates for multiple plugins that fix these problems. It is strongly recommended that you update your installation as soon as possible.
If you are a customer of our pretix Hosted service, the vulnerabilities are already fixed for you and you do not need to take action.
#1: Session takeover vulnerability chain [CRITICAL]
CVE ID: CVE-2026-13602
We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:
-
The payment integration plugins Stripe (included in the core system),
pretix-mollie,pretix-oppwa,pretix-bitpay,pretix-payone,pretix-secuconnect,pretix-sofort, andpretix-saferpaycontain a code path that is intended for the transport of session parameters from a tab with isolated cookies (e.g. in the pretix widget) to a new tab. For this purpose, a set of session parameters is cryptographically signed and then passed to the new tab as a URL parameter. The plugins perform no further validation of the session parameters, other than the cryptographic signature being valid. This is fixed with the releases issued today by strictly validating that no session parameters outside of the scope of the respective plugin may be set. -
An unrelated feature in the core system is used to generate redirect links that obfuscate any
Refererheaders for outgoing links to prevent leakage of secrets in URLs. This redirect page also requires cryptographically signed parameters. Unfortunately, it uses the same key and salt for the signature as the previously mentioned feature in the payment integration plugins. A motivated attacker with access to at least one event in the backend can trick the system into cryptographically signing arbitrary content using specially crafted links. In combination with the previous issue, the attacker could use this to set and modify arbitrary parameters on their user session by injecting the signed parameters into the feature of the payment providers. This is fixed with the releases issued today by using different salts for the signature for each plugin and feature. -
A third, unrelated feature in the core system is used for admin users to act on behalf of another user, mostly for debugging purposes. With being able to insert arbitrary parameters into a session, an attacker can abuse this feature to change their session from their actual user to any user in the system by guessing a valid user ID. This is fixed with the release today by requiring unguessable information to be contained in the session of the user to switch to.
For pretix Hosted, we have performed an extensive review across multiple categories of logs. We have found strong indication that the vulnerability was never exploited.
Severity rating: Since this could lead to full compromise of an admin account, we consider the severity critical.
Affected versions: All versions of pretix since 4.14 are affected (except the fixed versions listed below and newer), as well as potentially older versions with any of the listed plugins installed after October 2022 are affected.
Workaround: If you are unable to update quickly, we recommend to block the URL /control/users/impersonate/stop in your webserver configuration. In nginx, you can do this by inserting location /control/users/impersonate/stop { deny all; } into the correct block. However, this only remedies the most critical impact the other vulnerabilities have, and we still recommend you plan an update as soon as possible.
This issue has been discovered internally.
#2: SSRF with API key leak in pretix-oppwa [CRITICAL]
CVE ID: CVE-2026-13603
The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following their official documentation, includes a step where the user is redirected from the payment provider back to our system with a query parameter like ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath.
Our plugin pretix-oppwa did so insecurely by concatenating the parameter form the URL to the base domain of the API without further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different server instead. Since the request includes the access token (API key) of the Oppwa account, this would leak the access token, giving access to data contained in the payment provider's system. This is fixed with the release today by strictly validating the given API URL.
After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix. For pretix Hosted, all potentially affected customers have already been notified.
Severity rating: Since this can't lead to compromise of the pretix account, but the payment provider account also stores sensitive data that is accessible with the API key and the exploit requires no permissions in the system, we consider the severity critical.
Affected versions: All released versions of pretix-oppwa (except the fixed versions listed below) are affected.
Workaround: If you are unable to update pretix quickly, we still recommend to try installing the pretix-oppwa plugin in the latest version. We have not tested it with every old pretix release, but we expect it to be compatible with any version after 2025.1. Otherwise, we recommend to uninstall the pretix-oppwa plugin.
Attack detection: If you have access logs, you can search them for resourcePath= not followed by a / or encoded slash %2F.
This issue has been discovered internally.
Fixed versions
We just released updates for the last three stable versions on PyPI that fix the problem. If you run a pretix installation older than 2026.3, please upgrade to a recent version now:
We have also published these fixed plugin versions:
- pretix-mollie 2.5.7
- pretix-oppwa 1.4.4
- pretix-bitpay 1.5.3
- pretix-payone 1.4.3
- pretix-secuconnect 1.0.4
- pretix-sofort 1.4.2
- pretix-saferpay 1.6.3
The new docker images will appear on Docker Hub over the next few hours.
We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bug fixes, even if they are not security related.
If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on Mastodon.
We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at security@pretix.eu. We will always treat your message with the appropriate priority.