CVE-2026-2451 is a vulnerability classified under CWE-627 (Dynamic Variable Evaluation) affecting pretix-doistep, a plugin for the pretix event ticketing system, specifically version 1.0.0. Pretix allows email templates to include placeholders that dynamically insert customer data, such as {name} for the buyer's name. However, the template engine's handling of these placeholders contained a critical flaw: it permitted the use of crafted placeholders like {{event.__init__.__code__.co_filename}} that exploit Python's object model to access internal attributes and code objects. This dynamic evaluation flaw enables an attacker with backend user privileges—who can edit email templates—to exfiltrate sensitive system information, including database passwords and API keys stored in the pretix.cfg configuration file. Although pretix implements some filtering mechanisms to prevent malicious placeholders, a coding error in the pretix-doistep plugin rendered these protections ineffective. The vulnerability does not require user interaction but does require at least limited privileges to modify email templates. The CVSS 4.0 score is 7.5 (high), reflecting the network attack vector, high impact on confidentiality, integrity, and availability, and the complexity of exploitation being high but feasible with partial privileges. No public exploits are currently known. Due to the nature of the flaw, attackers can gain access to critical secrets, potentially leading to further compromise of the system or connected infrastructure.

For European organizations using pretix 1.0.0 with the pretix-doistep plugin, this vulnerability poses a significant risk of sensitive data leakage. Exposure of database credentials and API keys can lead to unauthorized access to backend databases, manipulation of event data, or further lateral movement within the organization's network. This can disrupt event operations, compromise customer data privacy, and damage organizational reputation. Given the widespread use of pretix in event management across Europe, especially in countries with vibrant event industries (e.g., Germany, France, UK), the impact could be substantial. Attackers exploiting this vulnerability could also leverage stolen credentials to launch supply chain attacks or access other integrated services. The breach of confidentiality and potential integrity violations may also trigger regulatory compliance issues under GDPR, leading to legal and financial consequences.

1. Immediately restrict email template editing permissions to only highly trusted administrators to reduce the risk of malicious placeholder injection. 2. Audit all existing email templates for suspicious or complex placeholders that could exploit dynamic evaluation. 3. Rotate all passwords, API keys, and other sensitive credentials stored in the pretix.cfg configuration file to invalidate any potentially compromised secrets. 4. Monitor backend user activities for unusual template modifications or access patterns. 5. Apply any available patches or updates from pretix addressing this vulnerability as soon as they are released. 6. Consider implementing additional input validation or sandboxing mechanisms for template rendering to prevent arbitrary code evaluation. 7. Educate backend users about the risks of template modifications and enforce strict change management procedures. 8. If possible, isolate the pretix backend environment to limit the blast radius of any potential compromise.