External risk intelligence

`pretix-oppwa` Payment Integration Token Leak Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-13603

The vulnerability exists in a payment integration plugin for pretix, which is a web-based ticketing and event management platform. Because pretix is commonly deployed as a public-facing web application that handles transactions and user redirects, the payment integration endpoints are exposed to the internet and reachable as part of standard web-based payment workflows.

Server-Side Request Forgery

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in a payment integration plugin that processes transactions for events. The issue could allow an attacker to redirect requests to a malicious server, potentially exposing sensitive access tokens used to communicate with payment providers. The primary concern is to confirm if this specific plugin is in use and identify any potential exposure.

  • Plugin may leak payment access tokens.
  • Critical to verify if this specific plugin is in use.
  • Confirm relevance and exposure of payment integration.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by manipulating the redirection URL after a payment attempt. The pretix-oppwa plugin improperly concatenates a user-supplied `resourcePath` with a base URL without proper validation, allowing an attacker to craft a malicious URL that points to a different server. This could lead to the exposure of sensitive access tokens, granting unauthorized access to the payment provider's system.

  • Attacker crafts a malicious redirect URL.
  • Plugin concatenates attacker input to base URL.
  • Sensitive access tokens are leaked.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to trick the payment integration into sending sensitive payment provider access tokens to an attacker-controlled server. This could occur when a user completes a payment and is redirected back to the pretix system, provided the attacker can manipulate the redirect URL.

  • Payment provider access tokens at risk.
  • Insecure URL concatenation.
  • Sensitive data leakage.

Operational Fix

Recommended remediation, mitigation, and detection steps

The payment integration plugin for pretix likely falls under the responsibility of the application or platform team managing the pretix instance. The initial step involves identifying all pretix deployments, confirming their internet reachability and business criticality, and then assigning ownership for remediation. Coordination with the payment provider for new access tokens is also a necessary post-update action.

  • Application or platform team owns remediation.
  • Verify internet-facing pretix instances are identified.
  • Coordinate with payment provider for new tokens.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the pretix-oppwa plugin?

It is a software extension for pretix, a web-based platform used to manage tickets and events. This specific plugin connects pretix to payment providers like VR Payment and Hobex, which rely on Oppwa technology to process financial transactions during the event registration or checkout process.

What is the weakness behind CVE-2026-13603?

This CVE involves improper input validation and server-side request forgery. The plugin fails to safely handle a URL parameter, allowing it to be combined with a base domain in a way that creates an unintended address. Essentially, the software can be tricked into sending requests to the wrong destination, including unauthorized external servers.

How does an attacker trigger this vulnerability?

An attacker must be able to influence the redirection URL that occurs after a payment attempt. By injecting a specifically crafted value into the URL's resource path, they force the plugin to send a request to a server of their choice. If the system is not processing a payment redirect, the logic that performs this insecure concatenation does not execute, meaning standard navigation is unaffected.

Is my system at risk according to Halo Surface Signal?

Yes, if you use pretix with this plugin, your system is likely at risk. Halo Surface Signal identifies that because pretix is typically deployed as a public-facing application to handle web-based payments, the integration endpoints are directly reachable from the internet, making them accessible to potential attackers.

What steps should I take to secure my pretix instance?

First, update the pretix-oppwa plugin to the latest version to apply the necessary input validation fixes. Once the software is patched, you must contact your payment provider to invalidate your existing credentials and issue new access tokens, as the previous tokens may have been compromised during the period the vulnerability was active.

References