CVE-2026-11764

Source
https://cve.org/CVERecord?id=CVE-2026-11764
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11764.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-11764
Published
2026-06-09T11:54:37.865Z
Modified
2026-07-15T01:49:16.449715236Z
Severity
  • 3.6 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U CVSS Calculator
Summary
Data exposed without proper permission
Details

When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.

Database specific
{
    "cwe_ids": [
        "CWE-280"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11764.json",
    "cna_assigner": "rami.io"
}
References

Affected packages

Git / github.com/pretix/pretix

Affected ranges

Type
GIT
Repo
https://github.com/pretix/pretix
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "2024.1.0"
        },
        {
            "fixed": "2026.3.0"
        },
        {
            "introduced": "2026.3.0"
        },
        {
            "fixed": "2026.4.0"
        },
        {
            "introduced": "2026.4.0"
        },
        {
            "fixed": "2026.5.0"
        },
        {
            "introduced": "2026.5.0"
        },
        {
            "fixed": "2026.6.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v2024.*
v2024.1.0
v2024.10.0
v2024.11.0
v2024.2.0
v2024.3.0
v2024.4.0
v2024.5.0
v2024.6.0
v2024.7.0
v2024.8.0
v2024.9.0
v2025.*
v2025.1.0
v2025.10.0
v2025.2.0
v2025.3.0
v2025.4.0
v2025.5.0
v2025.6.0
v2025.7.0
v2025.8.0
v2025.9.0
v2026.*
v2026.1.0
v2026.2.0
v2026.3.0
v2026.4.0
v2026.5.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11764.json"