CVE-2026-2452
📋 TL;DR
This vulnerability allows authenticated users with email template editing permissions in pretix to exfiltrate sensitive system configuration data through malicious placeholder injection. Attackers can retrieve database passwords, API keys, and other sensitive information from the pretix.cfg configuration file. This affects all pretix instances where users have backend access to edit email templates.
💻 Affected Systems
- pretix
📦 What is this software?
Pretix by Pretix
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the pretix system including database access, API key theft, and potential lateral movement to connected systems.
Likely Case
Exfiltration of sensitive configuration data including database credentials and API keys, leading to data breaches and unauthorized access.
If Mitigated
Limited information disclosure if proper access controls and monitoring are in place to detect template manipulation.
🎯 Exploit Status
Exploitation requires authenticated access to the pretix backend with email template editing permissions. The attack vector is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2026.1.1
Vendor Advisory: https://pretix.eu/about/en/blog/20260216-release-2026-1-1/
Restart Required: Yes
Instructions:
1. Update pretix to version 2026.1.1 or later. 2. Restart the pretix service. 3. Rotate all passwords and API keys in pretix.cfg as recommended by the vendor.
🔧 Temporary Workarounds
Restrict Email Template Permissions
allLimit backend access to only trusted administrators who need to edit email templates.
Monitor Template Changes
allImplement logging and alerting for email template modifications to detect suspicious activity.
🧯 If You Can't Patch
- Immediately rotate all passwords and API keys in pretix.cfg configuration file
- Restrict backend access to essential personnel only and implement strict access controls
🔍 How to Verify
Check if Vulnerable:
Check pretix version - if it's earlier than 2026.1.1, the system is vulnerable.Check Version:
python -c "import pretix; print(pretix.__version__)" or check the admin interfaceVerify Fix Applied:
Verify pretix version is 2026.1.1 or later and test that malicious placeholders no longer work.📡 Detection & Monitoring
Log Indicators:
- Unusual email template modifications
- Multiple template save events from single user
- Template content containing unusual placeholder patterns
Network Indicators:
- Unusual outbound traffic patterns from pretix server
- Data exfiltration to external email addresses
SIEM Query:
source="pretix-logs" AND (event="template_modified" OR event="email_sent") AND (message="*__init__*" OR message="*__code__*" OR message="*co_filename*")