This vulnerability involves improper isolation or compartmentalization (CWE-653) in pretix Venueless, allowing a user with API access and the "manage users" permission scoped to any single venueless world to delete user accounts in other worlds. The issue arises because the application does not adequately separate user management privileges across different worlds, enabling cross-world user account deletion. The CVSS 4.0 base score is 7.3, indicating high severity with network attack vector, low attack complexity, and partial privileges required. The vulnerability impacts version 0.0.0 of Venueless. No patch or official remediation level has been provided by the vendor as of the publication date.

An attacker with API access and the "manage users" permission in any single venueless world can delete user accounts in other worlds, potentially causing denial of service to legitimate users and administrative disruption across multiple isolated environments within the application. This cross-world user deletion could lead to significant operational impact, especially in multi-tenant or segmented deployments.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict API access and the "manage users" permission to trusted users only, and monitor for unusual user deletion activity. Avoid granting broad permissions across multiple worlds to reduce risk.