{"api_version":"1","generated_at":"2026-07-04T14:09:02+00:00","cve":"CVE-2026-13603","urls":{"html":"https://cve.report/CVE-2026-13603","api":"https://cve.report/api/cve/CVE-2026-13603.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-13603","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-13603"},"summary":{"title":"SSRF with API key leak in pretix-oppwa","description":"The payment integration pretix-oppwa provides support \nfor the payment providers VR Payment, Hobex, and potentially others \nbased on Oppwa's technology. The integration of Oppwa, following their \nofficial documentation, includes a step where the user is redirected \nfrom the payment provider back to our system with a query parameter like\n ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath.\n\n\n\nOur plugin pretix-oppwa did so insecurely by \nconcatenating the parameter form the URL to the base domain of the API \nwithout further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different\n server instead. Since the request includes the access token (API key) \nof the Oppwa account, this would leak the access token, giving access to\n data contained in the payment provider's system. This is fixed with the\n release today by strictly validating the given API URL.\n\n\n\n\n\n\n\n\n\nAfter installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.","state":"PUBLISHED","assigner":"rami.io","published_at":"2026-07-01 14:16:31","updated_at":"2026-07-02 18:43:45"},"problem_types":["CWE-20","CWE-918","CWE-20 CWE-20 Improper input validation","CWE-918 CWE-918 Server-Side request forgery (SSRF)"],"metrics":[{"version":"4.0","source":"655498c3-6ec5-4f0b-aea6-853b334d05a6","type":"Secondary","score":"9","severity":"CRITICAL","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"LOW","exploitMaturity":"UNREPORTED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"9","severity":"CRITICAL","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:U","data":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":9,"baseSeverity":"CRITICAL","exploitMaturity":"UNREPORTED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"LOW","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:U","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"}}],"references":[{"url":"https://pretix.eu/about/en/blog/20260701-release-2026-5-3/","name":"https://pretix.eu/about/en/blog/20260701-release-2026-5-3/","refsource":"655498c3-6ec5-4f0b-aea6-853b334d05a6","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-13603","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-13603","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"pretix","product":"pretix-oppwa","version":"affected 1.4.4 python","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.Attack detection: If you have access logs, you can search them for resourcePath= not followed by a / or encoded slash %2F.","time":"","lang":"en"}],"workarounds":[{"source":"CNA","title":"","value":"Workaround: If you are unable to update pretix quickly, we still recommend to try installing the pretix-oppwa\n plugin in the latest version. We have not tested it with every old \npretix release, but we expect it to be compatible with any version after\n 2025.1. Otherwise, we recommend to uninstall the pretix-oppwa plugin.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"13603","cve":"CVE-2026-13603","epss":"0.002530000","percentile":"0.165870000","score_date":"2026-07-03","updated_at":"2026-07-04 00:02:17"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-13603","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-07-01T14:07:27.700177Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-01T14:07:36.332Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://pypi.python.org","defaultStatus":"unaffected","packageName":"pretix-oppwa","product":"pretix-oppwa","repo":"https://github.com/pretix/pretix-oppwa","vendor":"pretix","versions":[{"lessThan":"1.4.4","status":"affected","version":"0","versionType":"python"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>The payment integration <code>pretix-oppwa</code> provides support \nfor the payment providers VR Payment, Hobex, and potentially others \nbased on Oppwa's technology. The integration of Oppwa, following their \nofficial documentation, includes a step where the user is redirected \nfrom the payment provider back to our system with a query parameter like\n <code>?resourcePath=/v1/checkouts/{checkoutId}/payment</code> in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by <code>baseUrl + resourcePath</code>.</p><p>Our plugin <code>pretix-oppwa</code> did so insecurely by \nconcatenating the parameter form the URL to the base domain of the API \nwithout further validation and, critically, without a <code>/</code> at the end of the <code>baseUrl</code>. Therefore, an attacker could inject a <code>resourcePath</code> argument in a way that causes pretix to call a <em>different</em>\n server instead. Since the request includes the access token (API key) \nof the Oppwa account, this would leak the access token, giving access to\n data contained in the payment provider's system. This is fixed with the\n release today by strictly validating the given API URL.</p><p>\n\n</p><p><strong>After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.</strong></p>"}],"value":"The payment integration pretix-oppwa provides support \nfor the payment providers VR Payment, Hobex, and potentially others \nbased on Oppwa's technology. The integration of Oppwa, following their \nofficial documentation, includes a step where the user is redirected \nfrom the payment provider back to our system with a query parameter like\n ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath.\n\n\n\nOur plugin pretix-oppwa did so insecurely by \nconcatenating the parameter form the URL to the base domain of the API \nwithout further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different\n server instead. Since the request includes the access token (API key) \nof the Oppwa account, this would leak the access token, giving access to\n data contained in the payment provider's system. This is fixed with the\n release today by strictly validating the given API URL.\n\n\n\n\n\n\n\n\n\nAfter installing the update, we recommend asking your payment provider for a new access token and updating it in pretix."}],"impacts":[{"capecId":"CAPEC-37","descriptions":[{"lang":"en","value":"CAPEC-37 Retrieve Embedded Sensitive Data"}]},{"capecId":"CAPEC-664","descriptions":[{"lang":"en","value":"CAPEC-664 Server Side Request Forgery"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":9,"baseSeverity":"CRITICAL","exploitMaturity":"UNREPORTED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"LOW","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:U","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-20","description":"CWE-20 Improper input validation","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-918","description":"CWE-918 Server-Side request forgery (SSRF)","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-01T13:18:09.434Z","orgId":"655498c3-6ec5-4f0b-aea6-853b334d05a6","shortName":"rami.io"},"references":[{"tags":["vendor-advisory"],"url":"https://pretix.eu/about/en/blog/20260701-release-2026-5-3/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<strong>After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.</strong><div><strong>Attack detection:</strong> If you have access logs, you can search them for <code>resourcePath=</code> not followed by a <code>/</code> or encoded slash <code>%2F</code>.<strong></strong></div>"}],"value":"After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.Attack detection: If you have access logs, you can search them for resourcePath= not followed by a / or encoded slash %2F."}],"title":"SSRF with API key leak in pretix-oppwa","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<strong>Workaround:</strong> If you are unable to update pretix quickly, we still recommend to try installing the <code>pretix-oppwa</code>\n plugin in the latest version. We have not tested it with every old \npretix release, but we expect it to be compatible with any version after\n 2025.1. Otherwise, we recommend to <strong>uninstall</strong> the <code>pretix-oppwa</code> plugin."}],"value":"Workaround: If you are unable to update pretix quickly, we still recommend to try installing the pretix-oppwa\n plugin in the latest version. We have not tested it with every old \npretix release, but we expect it to be compatible with any version after\n 2025.1. Otherwise, we recommend to uninstall the pretix-oppwa plugin."}],"x_generator":{"engine":"Vulnogram 1.0.2"}}},"cveMetadata":{"assignerOrgId":"655498c3-6ec5-4f0b-aea6-853b334d05a6","assignerShortName":"rami.io","cveId":"CVE-2026-13603","datePublished":"2026-07-01T13:18:09.434Z","dateReserved":"2026-06-29T08:26:51.607Z","dateUpdated":"2026-07-01T14:07:36.332Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-01 14:16:31","lastModifiedDate":"2026-07-02 18:43:45","problem_types":["CWE-20","CWE-918","CWE-20 CWE-20 Improper input validation","CWE-918 CWE-918 Server-Side request forgery (SSRF)"],"metrics":{"cvssMetricV40":[{"source":"655498c3-6ec5-4f0b-aea6-853b334d05a6","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"LOW","exploitMaturity":"UNREPORTED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-01T14:07:27.700177Z","id":"CVE-2026-13603","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"13603","Ordinal":"1","Title":"SSRF with API key leak in pretix-oppwa","CVE":"CVE-2026-13603","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"13603","Ordinal":"1","NoteData":"The payment integration pretix-oppwa provides support \nfor the payment providers VR Payment, Hobex, and potentially others \nbased on Oppwa's technology. The integration of Oppwa, following their \nofficial documentation, includes a step where the user is redirected \nfrom the payment provider back to our system with a query parameter like\n ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath.\n\n\n\nOur plugin pretix-oppwa did so insecurely by \nconcatenating the parameter form the URL to the base domain of the API \nwithout further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different\n server instead. Since the request includes the access token (API key) \nof the Oppwa account, this would leak the access token, giving access to\n data contained in the payment provider's system. This is fixed with the\n release today by strictly validating the given API URL.\n\n\n\n\n\n\n\n\n\nAfter installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.","Type":"Description","Title":"SSRF with API key leak in pretix-oppwa"}]}}}