CVE-2026-2451 is a vulnerability classified under CWE-627 (Dynamic Variable Evaluation) affecting the pretix-doistep plugin of the pretix ticketing system, version 1.0.0. The issue stems from the way pretix processes placeholders in email templates, which are dynamically replaced with customer data during email generation. Normally, placeholders like {name} are replaced with the buyer's name. However, due to insufficient sanitization and filtering of placeholder inputs in the pretix-doistep plugin, an attacker with the ability to modify email templates—typically any user with backend access—can inject specially crafted placeholders such as {{event.__init__.__code__.co_filename}}. This exploits Python's introspection capabilities to access internal object attributes and retrieve sensitive information from the system, including configuration files, database passwords, and API keys. Although pretix implements some mechanisms to block malicious placeholders, a coding mistake in this plugin bypasses these protections, enabling information disclosure. The vulnerability does not require user interaction but does require low-level privileges (backend user access). The CVSS 4.0 score of 7.5 reflects a high severity due to the potential for significant confidentiality impact and the complexity of exploitation being moderate (high attack complexity). No public exploits have been reported yet. The vendor recommends immediate rotation of all credentials stored in pretix.cfg to mitigate potential compromise. No patches are currently linked, so organizations must rely on access control and credential management until fixes are available.

The primary impact of CVE-2026-2451 is the unauthorized disclosure of sensitive information from the pretix system, including database passwords and API keys. This can lead to further compromise of backend systems, unauthorized data access, and potential lateral movement within the affected environment. Organizations using pretix for event ticketing and management could face data breaches involving customer information and internal configuration secrets. The vulnerability undermines confidentiality and could indirectly affect integrity and availability if attackers leverage stolen credentials to manipulate or disrupt services. Since exploitation requires backend user privileges, insider threats or compromised user accounts pose significant risks. The absence of user interaction lowers the barrier for exploitation once access is gained. The potential for credential exfiltration makes this a critical concern for organizations relying on pretix for secure event management, especially those handling sensitive customer data or payment information.

1. Immediately restrict email template editing permissions to only the most trusted and necessary backend users to reduce the risk of malicious placeholder injection. 2. Conduct a thorough audit of all existing email templates to identify and remove any suspicious or non-standard placeholders that could exploit this vulnerability. 3. Rotate all passwords, API keys, and other sensitive credentials stored in the pretix.cfg configuration file as recommended by the vendor to mitigate potential exposure. 4. Monitor backend user activities and email template changes for unusual behavior or unauthorized modifications. 5. Implement network segmentation and strict access controls around the pretix backend to limit the impact of compromised accounts. 6. Stay alert for vendor patches or updates addressing this vulnerability and apply them promptly once available. 7. Consider deploying runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block suspicious placeholder patterns in email templates. 8. Educate backend users about the risks of template manipulation and enforce strong authentication and session management to reduce insider threat risks.