VYPR
← All advisories
Low severityNVD Advisory· Published Jun 9, 2026· Updated Jun 9, 2026

CVE-2026-11764

CVE-2026-11764

Description

Pretix versions prior to 2026.5.1 improperly export gift card secrets, bypassing intended permission restrictions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Pretix versions prior to 2026.5.1 improperly export gift card secrets, bypassing intended permission restrictions.

Vulnerability

In pretix versions 2024.1.0 through 2026.5.0, the export of all reusable media incorrectly includes the full secrets of connected gift cards, even for users who lack explicit permission to view gift cards. This behavior contradicts the UI and API, which only display partial gift card secrets [1].

Exploitation

An attacker needs to have permissions to create an export of all reusable media. The attacker then initiates this export process. The vulnerability is triggered by the export function itself, which fails to properly enforce gift card viewing permissions [1].

Impact

Successful exploitation allows an attacker to obtain the full secrets of gift cards, circumventing the intended permission boundaries. While the scenario requires a specific, unlikely permission setup, it represents a bypass of the system's security controls [1].

Mitigation

Versions 2026.5.1, 2026.4.3, and 2026.3.3 have been released to address this vulnerability. Users are strongly recommended to update their installations. For pretix Hosted service customers, the fix has already been applied [1].

References
  1. Security release 2026.5.1 of pretix

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
b404316dfd21

[SECURITY] Reusable media export: Respect giftcard permissions (CVE-2026-11764) (#6261)

https://github.com/pretix/pretixRichard SchreiberJun 9, 2026via github-commit-search
commit
1 file changed · +7 1
  • src/pretix/base/exporters/reusablemedia.py+7 1 modified
    @@ -64,15 +64,21 @@ def iterate_list(self, form_data):
         yield headers
         yield self.ProgressSetTotal(total=media.count())
 
+        can_read_giftcards = self.permission_holder.has_organizer_permission(self.organizer, 'organizer.giftcards:read')
+
         for medium in media.iterator(chunk_size=1000):
+            giftcard_secret = medium.linked_giftcard.secret if medium.linked_giftcard_id else ''
+            if giftcard_secret and not can_read_giftcards:
+                giftcard_secret = giftcard_secret[:3] + "…"
+
             yield [
                 medium.type,
                 medium.identifier,
                 _('Yes') if medium.active else _('No'),
                 date_format(medium.expires, 'SHORT_DATETIME_FORMAT') if medium.expires else '',
                 medium.customer.identifier if medium.customer_id else '',
                 ', '.join([f"{op.order.code}-{op.positionid}" for op in medium.linked_orderpositions.all()]),
-                medium.linked_giftcard.secret if medium.linked_giftcard_id else '',
+                giftcard_secret,
                 medium.notes,
             ]

Vulnerability mechanics

Root cause

"The reusable media export functionality did not check user permissions before including sensitive gift card secrets."

Attack vector

An attacker can trigger this vulnerability by creating an export of all reusable media. This export process includes the full secrets of connected gift cards, even if the user initiating the export lacks the necessary permissions to view them. This bypasses the intended permission boundary that restricts access to gift card secrets.

Affected code

The vulnerability exists in the `iterate_list` function within `src/pretix/base/exporters/reusablemedia.py`. Specifically, the code iterates through media and unconditionally includes `medium.linked_giftcard.secret` in the export data.

What the fix does

The patch introduces a check for the user's permission to read gift cards before including the full secret in the export. If the user does not have the 'organizer.giftcards:read' permission, the gift card secret is truncated to its first three characters followed by an ellipsis. This ensures that sensitive gift card information is only exposed to authorized users, aligning with UI and API behavior [patch_id=5354422].

Preconditions

  • authThe user creating the export must have access to the reusable media export functionality.

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.