CVE-2026-2452 is a vulnerability classified under CWE-627 (Dynamic Variable Evaluation) affecting the pretix-newsletter plugin versions 1.0.0 and 2.0.0. Pretix uses a templating mechanism for emails where placeholders like {name} are replaced with customer data. However, this mechanism improperly sanitizes placeholder inputs, allowing attackers with backend user privileges to inject specially crafted placeholders such as {{event.__init__.__code__.co_filename}}. This exploits Python's dynamic attribute access to traverse internal object properties and retrieve sensitive information from the system, including configuration files, database credentials, and API keys. Although pretix implements some filtering to block malicious placeholders, a coding error in the pretix-newsletter plugin bypasses these protections. The vulnerability requires authenticated access to the pretix backend but does not require additional user interaction. The CVSS 4.0 vector indicates network attack vector, high complexity, no user interaction, and partial privileges required, with high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the potential for sensitive data exfiltration is significant. The vendor recommends rotating all secrets in the pretix.cfg configuration file as a precaution. This vulnerability highlights risks inherent in dynamic template evaluation without strict input validation and sandboxing.

The primary impact of CVE-2026-2452 is the unauthorized disclosure of sensitive system information, including database passwords and API keys, which can lead to full system compromise. Attackers with backend user access can leverage this flaw to escalate privileges, access confidential customer data, manipulate event configurations, or disrupt service availability. The exposure of API keys and database credentials could allow lateral movement within the organization's infrastructure or enable further attacks such as data exfiltration, ransomware deployment, or supply chain compromise. Since pretix is used globally for event ticketing and management, organizations relying on it for customer communications and sales are at risk of reputational damage, regulatory penalties, and operational disruption. The vulnerability's requirement for authenticated access limits exposure to insider threats or compromised accounts but does not eliminate risk, especially in environments with multiple backend users or weak access controls. The lack of known public exploits reduces immediate risk but does not preclude future exploitation. Overall, the vulnerability poses a high risk to confidentiality, integrity, and availability of affected systems.

1. Immediately rotate all passwords, API keys, and other secrets stored in the pretix.cfg configuration file to invalidate any potentially compromised credentials. 2. Restrict backend user privileges to the minimum necessary, limiting who can edit email templates or access sensitive configuration areas. 3. Apply any available patches or updates from the pretix project addressing this vulnerability as soon as they are released. 4. Implement strict input validation and sanitization on email template placeholders to prevent dynamic evaluation of arbitrary expressions. 5. Consider disabling or restricting the use of dynamic placeholders in email templates until a secure fix is confirmed. 6. Monitor backend user activities and audit changes to email templates for suspicious or unauthorized modifications. 7. Employ network segmentation and access controls to limit backend access to trusted users and systems. 8. Regularly review and update security policies around credential management and backend access. 9. If possible, deploy runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block suspicious placeholder patterns. 10. Educate administrators and backend users about the risks of template injection and secure template management practices.