HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-13603Published Modified CNA rami.io

CVE-2026-13603: SSRF with API key leak in pretix-oppwa

The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following their official documentation, includes a step where the user is redirected from the payment provider back to our system with a query parameter like ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath. Our plugin pretix-oppwa did so insecurely by concatenating the parameter form the URL to the base domain of the API without further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different server instead. Since the request includes the access token (API key) of the Oppwa account, this would leak the access token, giving access to data contained in the payment provider's system. This is fixed with the release today by strictly validating the given API URL. After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.

Metrics

CVSS v4.0
9.0
Severity
CRITICAL
Fixed in
1.4.4
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A server-side request forgery (SSRF) vulnerability exists in the pretix-oppwa payment integration plugin, which connects the pretix ticketing system to payment providers built on Oppwa technology such as VR Payment and Hobex. The plugin can be reached over the network by any unauthenticated user and requires no victim interaction to exploit. A successful attack causes the pretix server to send an outbound HTTP request carrying its Oppwa API key to an attacker-controlled host, leaking the key and granting the attacker full access to the connected payment provider account. A patched-image rebuild at version 1.4.4 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle pretix-oppwa, in both registry scans and live CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 9.0 Critical and surfaces it in each customer environment weighted against that environment's compliance policy, routing the finding to the appropriate team inbox based on configured ownership rules.

Available
Patch

A patched-image rebuild at pretix-oppwa 1.4.4 becomes available on HarborGuard for any environment where an affected version is detected. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test pass, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the pretix payment callback endpoint over the network; no special network position is required beyond a standard internet connection.

  • AuthenticationNot required

    No account or credential of any kind is needed; the attacker manipulates a publicly accessible callback URL query parameter.

  • Victim interactionNot required

    The exploit is fully server-side; no user needs to click a link or take any action for the attack to succeed.

  • Attack complexityDetail

    Exploitation is straightforward and condition-free: the attacker simply crafts a resourcePath value that redirects the outbound request, with no race condition or environmental dependency required.

Blast Radius

  • The attacker receives the Oppwa API access token in the inbound request to their server, giving them full programmatic access to the payment provider account.
  • With a stolen API key, the attacker can read transaction records and customer payment data stored in the payment provider's system.
  • The attacker can make modifications in the payment provider's system at the scope permitted by the stolen token, including altering or voiding transaction records.
  • Availability impact on the pretix service itself is low, but compromise of the payment provider account can disrupt payment processing for all events using the affected integration.

How HarborGuard Handles This

Available on HarborGuard: images containing pretix-oppwa at any version below 1.4.4 are flagged as soon as a scan runs against them, with the finding scored Critical (CVSS 9.0) and routed per each customer's compliance policy. A rebuilt image at version 1.4.4 is available for affected environments; for customers with auto-remediation enabled, the median time from CVE publication to a merged patch PR for critical-severity findings is around 90 minutes. Note that the upstream advisory explicitly recommends rotating the Oppwa API access token after upgrading, because any previously issued token may have been captured by an attacker. HarborGuard surfaces this advisory note in the finding detail so that operations teams have the remediation context alongside the image fix.

See how HarborGuard automates this

Fix available

1.4.4
Affected packages
  • pretix / pretix-oppwa
    < 1.4.4 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:U
References