LOW

GHSA-r2h2-g46h-8mx8

pretix has Broken Access Control Allowing Cross-User File Access via UUID

Details

Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / pretix

Introduced in: 2025.10.0 Fixed in: 2025.10.1

Fix pip install --upgrade 'pretix>=2025.10.1'

PyPI / pretix

Introduced in: 2025.9.0 Fixed in: 2025.9.3

Fix pip install --upgrade 'pretix>=2025.9.3'

PyPI / pretix

Introduced in: 0 Fixed in: 2025.8.3

Fix pip install --upgrade 'pretix>=2025.8.3'

References

https://nvd.nist.gov/vuln/detail/CVE-2025-14881 [ADVISORY]
https://github.com/pretix/pretix/commit/4b5651862c57c6e384822d1d23292342126c479a [WEB]
https://github.com/pretix/pretix [PACKAGE]
https://pretix.eu/about/en/blog/20251219-release-2025-10-1 [WEB]