CVE-2026-13603
Gravedad CVSS v4.0:
CRÍTICA
Tipo:
CWE-20
Validación incorrecta de entrada
Fecha de publicación:
01/07/2026
Última modificación:
02/07/2026
Descripción
*** Pendiente de traducción *** The payment integration pretix-oppwa provides support <br />
for the payment providers VR Payment, Hobex, and potentially others <br />
based on Oppwa&#39;s technology. The integration of Oppwa, following their <br />
official documentation, includes a step where the user is redirected <br />
from the payment provider back to our system with a query parameter like<br />
?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath.<br />
<br />
<br />
<br />
Our plugin pretix-oppwa did so insecurely by <br />
concatenating the parameter form the URL to the base domain of the API <br />
without further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different<br />
server instead. Since the request includes the access token (API key) <br />
of the Oppwa account, this would leak the access token, giving access to<br />
data contained in the payment provider&#39;s system. This is fixed with the<br />
release today by strictly validating the given API URL.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.
Impacto
Puntuación base 4.0
9.00
Gravedad 4.0
CRÍTICA



