LOW

GHSA-pmjj-h5jm-vxh4

pretix has Broken Access Control Allowing Cross-User File Access via UUID

Details

An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / pretix

Introduced in: 2025.10.0 Fixed in: 2025.10.1

Fix pip install --upgrade 'pretix>=2025.10.1'

PyPI / pretix

Introduced in: 2025.9.0 Fixed in: 2025.9.3

Fix pip install --upgrade 'pretix>=2025.9.3'

PyPI / pretix

Introduced in: 0 Fixed in: 2025.8.3

Fix pip install --upgrade 'pretix>=2025.8.3'

References

https://nvd.nist.gov/vuln/detail/CVE-2025-14882 [ADVISORY]
https://github.com/pretix/pretix/commit/4b5651862c57c6e384822d1d23292342126c479a [WEB]
https://github.com/pretix/pretix [PACKAGE]
https://pretix.eu/about/en/blog/20251219-release-2025-10-1 [WEB]