{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5599", "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "state": "PUBLISHED", "assignerShortName": "rami.io", "dateReserved": "2026-04-05T12:25:52.821Z", "datePublished": "2026-04-05T12:36:27.278Z", "dateUpdated": "2026-04-06T14:33:34.105Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "shortName": "rami.io", "dateUpdated": "2026-04-05T12:36:27.278Z"}, "title": "API allows deletion of users of other instance", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-653", "description": "CWE-653 Improper isolation or compartmentalization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "affected": [{"vendor": "pretix", "product": "Venueless", "repo": "https://github.com/venueless/venueless", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "02b9cbe5", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A user with API access and \"manage users\" permission in any venueless \nworld is able to trigger deletion of user accounts in other worlds.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A user with API access and \"manage users\" permission in any venueless \nworld is able to trigger deletion of user accounts in other worlds."}]}], "references": [{"url": "https://github.com/venueless/venueless/security/advisories/GHSA-gwjc-33fv-2gh4"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H"}}], "credits": [{"lang": "en", "value": "Pratik Karan", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T14:32:27.722668Z", "id": "CVE-2026-5599", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T14:33:34.105Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "API allows deletion of users of other instance", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Pratik Karan"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/venueless/venueless", "vendor": "pretix", "product": "Venueless", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "02b9cbe5", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/venueless/venueless/security/advisories/GHSA-gwjc-33fv-2gh4"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "A user with API access and \"manage users\" permission in any venueless \nworld is able to trigger deletion of user accounts in other worlds.", "supportingMedia": [{"type": "text/html", "value": "A user with API access and \"manage users\" permission in any venueless \nworld is able to trigger deletion of user accounts in other worlds.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-653", "description": "CWE-653 Improper isolation or compartmentalization"}]}], "providerMetadata": {"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "shortName": "rami.io", "dateUpdated": "2026-04-05T12:36:27.278Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5599", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T14:32:27.722668Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-06T14:33:16.090Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-5599", "state": "PUBLISHED", "dateUpdated": "2026-04-05T12:36:27.278Z", "dateReserved": "2026-04-05T12:25:52.821Z", "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "datePublished": "2026-04-05T12:36:27.278Z", "assignerShortName": "rami.io"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A user with API access and \"manage users\" permission in any venueless \nworld is able to trigger deletion of user accounts in other worlds."}], "id": "CVE-2026-5599", "lastModified": "2026-04-07T13:20:35.010", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "type": "Secondary"}]}, "published": "2026-04-05T13:17:15.123", "references": [{"source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "url": "https://github.com/venueless/venueless/security/advisories/GHSA-gwjc-33fv-2gh4"}], "sourceIdentifier": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-653"}], "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0.0.0,02b9cbe5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Venueless", "source": "cna", "vendor": "pretix"}, "product": "venueless", "vendor": "pretix"}], "analysis": {"en": {"generated_at": "2026-04-05T15:51:08.801889+00:00", "value": {"mitigation_remediation": ["Apply the latest Venueless update once available from pretix.", "If a patch is not yet available, limit the \"manage users\" permission to trusted administrators only.", "Monitor system logs for unauthorized deletion attempts and verify account integrity regularly.", "Contact pretix Venueless support for guidance on additional mitigations."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized deletion of user accounts across instances"}, "threat_synthesis": {"affected_systems": "All releases of the Venueless product from pretix are potentially affected, as no specific version ranges are provided. Existing installations should assume this vulnerability is present until a patch is released.", "description_and_impact": "A user who has API access and the \"manage users\" permission in any Venueless world can delete user accounts that belong to other worlds. This cross\u2011instance authorization bypass removes legitimate user data and can disrupt service availability for unaffected users. The weakness is a zero\u2011click, cross\u2011instance privilege escalation, identified as CWE\u2011653.", "risk_and_exploitability": "The CVSS score of 7.3 indicates moderate to high severity. Exploit probability data is not published, and the vulnerability is not currently listed in the known exploited vulnerabilities catalog. Because the attack requires only API access with the \"manage users\" permission, the risk of exploitation is significant. The likely attack vector is remote via the public API, and an attacker can directly delete accounts belonging to other instances."}}}}, "created": "2026-04-06T20:23:24.981261+00:00", "updated": "2026-04-06T21:56:46.022681+00:00", "vendors": ["pretix", "pretix$PRODUCT$venueless"]}