{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-13603: SSRF with API key leak in pretix-oppwa","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-13603","status":"final","version":"1","initial_release_date":"2026-07-01T13:18:09.434Z","current_release_date":"2026-07-01T14:07:36.332Z","revision_history":[{"date":"2026-07-01T13:18:09.434Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"The payment integration pretix-oppwa provides support \nfor the payment providers VR Payment, Hobex, and potentially others \nbased on Oppwa's technology. The integration of Oppwa, following their \nofficial documentation, includes a step where the user is redirected \nfrom the payment provider back to our system with a query parameter like\n ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath.\n\n\n\nOur plugin pretix-oppwa did so insecurely by \nconcatenating the parameter form the URL to the base domain of the API \nwithout further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different\n server instead. Since the request includes the access token (API key) \nof the Oppwa account, this would leak the access token, giving access to\n data contained in the payment provider's system. This is fixed with the\n release today by strictly validating the given API URL.\n\n\n\n\n\n\n\n\n\nAfter installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-13603 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-13603"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-13603"},{"category":"external","summary":"pretix.eu","url":"https://pretix.eu/about/en/blog/20260701-release-2026-5-3/"}]},"product_tree":{"branches":[{"category":"vendor","name":"pretix","branches":[{"category":"product_name","name":"pretix-oppwa","branches":[{"category":"product_version_range","name":"<1.4.4","product":{"name":"pretix pretix-oppwa <1.4.4","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:pretix:pretix-oppwa:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-13603","title":"SSRF with API key leak in pretix-oppwa","notes":[{"category":"description","text":"The payment integration pretix-oppwa provides support \nfor the payment providers VR Payment, Hobex, and potentially others \nbased on Oppwa's technology. The integration of Oppwa, following their \nofficial documentation, includes a step where the user is redirected \nfrom the payment provider back to our system with a query parameter like\n ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath.\n\n\n\nOur plugin pretix-oppwa did so insecurely by \nconcatenating the parameter form the URL to the base domain of the API \nwithout further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different\n server instead. Since the request includes the access token (API key) \nof the Oppwa account, this would leak the access token, giving access to\n data contained in the payment provider's system. This is fixed with the\n release today by strictly validating the given API URL.\n\n\n\n\n\n\n\n\n\nAfter installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:U","baseScore":9,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 1.4.4.","product_ids":["CSAFPID-1"]}]}]}