CVE-2026-2452 is a vulnerability classified under CWE-627 (Dynamic Variable Evaluation) affecting the pretix-newsletter plugin versions 1.0.0 and 2.0.0. Pretix uses placeholders in email templates to dynamically insert customer data, such as {name}, which are replaced with actual values at runtime. However, the placeholder processing mechanism contained a critical flaw: it allowed specially crafted placeholders that access internal Python object attributes, for example, {{event.__init__.__code__.co_filename}}. This enables an attacker with the ability to edit email templates—typically any user with backend access—to execute dynamic evaluation and retrieve sensitive information from the system, including database passwords and API keys stored in the pretix.cfg configuration file. Although pretix implements some filtering to block malicious placeholders, a coding error in the pretix-newsletter plugin rendered these protections ineffective. The vulnerability has a CVSS 4.0 base score of 7.5, indicating high severity, with network attack vector, high impact on confidentiality, integrity, and availability, and requiring low privileges but no user interaction. No public exploits are currently known, but the risk of credential leakage and system compromise is significant. The vulnerability was published on 2026-02-16, and no patches are currently linked, so immediate mitigation and credential rotation are advised.

For European organizations using pretix for event ticketing and newsletter distribution, this vulnerability poses a severe risk to the confidentiality and integrity of sensitive system credentials. An attacker with backend access could exfiltrate database passwords and API keys, potentially leading to full system compromise, unauthorized data access, and disruption of event management operations. This could result in data breaches involving personal customer information, financial loss, reputational damage, and regulatory penalties under GDPR. The ability to exploit this vulnerability remotely over the network without user interaction increases the attack surface. Organizations relying on pretix for critical event infrastructure or handling large volumes of personal data are particularly vulnerable. The lack of known exploits in the wild suggests limited current exploitation but also highlights the importance of proactive mitigation to prevent future attacks.

1. Immediately restrict email template editing permissions to only the most trusted and necessary backend users to reduce the risk of malicious template injection. 2. Monitor and audit all changes to email templates for suspicious placeholder usage, especially those containing double curly braces and Python object attribute access patterns. 3. Rotate all database passwords, API keys, and other sensitive credentials stored in the pretix.cfg configuration file to invalidate any potentially compromised secrets. 4. Apply patches or updates from pretix as soon as they become available that address this vulnerability. 5. Consider implementing additional input validation or sandboxing mechanisms for template rendering to prevent dynamic code evaluation. 6. Conduct a thorough security review of the pretix environment, including access controls and logging, to detect any unauthorized access or exploitation attempts. 7. Educate backend users about the risks of template manipulation and enforce strong authentication and session management controls.