CVE-2026-11764 LOW

CVE-2026-11764: Data exposed without proper permission

Vendor Pretix
Product pretix
Weakness CWE-280
Published June 9, 2026
Last update June 9, 2026

CVSS base score

3.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U

What the vulnerability does

01Description

When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.

Key dates

02Disclosure timeline

June 9, 2026 CVE published
June 9, 2026 Record updated