CVE-2026-2452 in pretix-newsletter
Summary
by MITRE • 02/16/2026
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}
is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug:
It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.
This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for this plugin.
Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ file.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/03/2026
The vulnerability identified as CVE-2026-2452 resides within the pretix email template processing system, representing a critical information disclosure flaw that leverages insecure template rendering mechanisms. This vulnerability specifically targets the placeholder substitution functionality that allows administrators to customize email communications sent by the pretix platform. The system's design permits users to define dynamic content within email templates using placeholder syntax such as {name} which gets replaced with actual customer data during email generation. However, the implementation contains a fundamental security flaw that allows arbitrary code execution through carefully crafted placeholder names, enabling attackers to extract sensitive system information.
The technical exploitation of this vulnerability occurs through a code injection mechanism that bypasses intended security restrictions. Attackers can construct malicious placeholder names such as {{event._init_._code_.co_filename}} which, when processed by the template engine, trigger Python's introspection capabilities to reveal system file paths and potentially sensitive configuration data. This type of vulnerability maps directly to CWE-94, which describes "Improper Control of Generation of Code ('Code Injection')" and represents a classic example of unsafe template processing that allows attackers to access internal object attributes and methods. The attack vector specifically exploits the lack of proper input sanitization and validation in the placeholder processing pipeline, allowing attackers to traverse the Python object model and extract information from the pretix system configuration.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables attackers with access to the pretix backend to potentially extract critical system credentials including database passwords, API keys, and other sensitive configuration parameters stored in the pretix.cfg file. This creates a severe privilege escalation scenario where any user with email template editing capabilities can gain access to system-level information that should remain protected. The vulnerability's severity is compounded by the fact that it affects the core email functionality of the platform, which is typically accessible to multiple users within an organization. The attack represents a clear violation of the principle of least privilege and allows for lateral movement within the system, potentially leading to full system compromise if database credentials or other sensitive information are exposed.
Organizations affected by this vulnerability should immediately implement comprehensive mitigation strategies including rotating all passwords and API keys stored in the pretix.cfg configuration file as recommended by the vendor. The security community should consider this vulnerability in the context of ATT&CK framework category T1566 for "Phishing" and T1078 for "Valid Accounts" as it enables attackers to leverage legitimate user access to extract sensitive information. Additional mitigations should include implementing strict input validation for placeholder names, restricting user permissions for email template editing, and deploying monitoring solutions to detect unusual template modifications. The vulnerability highlights the critical importance of secure template processing and demonstrates how seemingly innocuous features can become attack vectors when proper security controls are not implemented. Organizations should also review their configuration management practices to ensure that sensitive credentials are not stored in easily accessible configuration files and consider implementing more robust access controls and audit logging for all system configuration changes.