CVE-2026-60118 in Hi.Events
Summary
by MITRE • 07/14/2026
Hi.Events through v1.10.0-beta contains a missing server-side visibility enforcement vulnerability that allows unauthenticated attackers to purchase hidden tickets by referencing hidden product and price IDs in order creation requests without authorization checks. Attackers can enumerate sequential hidden ticket IDs from visible ones and submit order creation requests referencing those IDs to purchase VIP, invite-only, or discounted tickets intentionally withheld from public sale.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/14/2026
This vulnerability exists within the Events through version 1.10.0-beta software where the system fails to implement proper server-side validation for ticket visibility controls during order processing. The flaw represents a critical authorization bypass that allows unauthenticated attackers to circumvent intended access restrictions by directly referencing hidden product and price identifiers in order creation requests. This missing enforcement mechanism creates an avenue for unauthorized ticket acquisition through manipulation of request parameters rather than legitimate purchasing workflows.
The technical implementation of this vulnerability stems from insufficient input validation and authorization checks within the order processing pipeline. When legitimate tickets are purchased, the system generates sequential IDs that are typically hidden from public view, yet attackers can observe patterns in visible ticket identifiers and extrapolate corresponding hidden values. This enumeration capability enables attackers to construct valid order requests containing references to restricted ticket types including VIP access, invite-only events, or discounted pricing tiers that should remain inaccessible to unauthorized users.
The operational impact of this vulnerability extends beyond simple financial loss as it compromises the integrity of event access controls and revenue models. Attackers can systematically purchase tickets that were explicitly designed to be unavailable to general public consumption, potentially undermining event exclusivity, disrupting pricing strategies, and creating unfair advantages for unauthorized participants. The vulnerability affects all ticket types that rely on server-side visibility controls rather than client-side presentation masking, making it particularly dangerous for events with limited capacity or special access requirements.
Organizations affected by this vulnerability should implement immediate server-side validation of ticket visibility states during order creation requests. The fix requires enforcing authorization checks at the API level to verify that requested tickets are publicly available before processing orders. This approach aligns with security best practices outlined in CWE-603 and addresses patterns identified in ATT&CK technique T1078.101 which covers valid accounts with restricted access. Implementation should include comprehensive logging of order attempts referencing hidden identifiers to detect potential exploitation patterns. Network segmentation and rate limiting on order creation endpoints can provide additional defense-in-depth measures while regular security audits should verify that all ticket visibility controls are properly enforced server-side rather than relying on client-side obfuscation techniques that can be easily bypassed.