CVE-2025-14881: pretix has Broken Access Control Allowing Cross-User File Access via UUID

December 19, 2025 (updated December 20, 2025)

Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

References

github.com/advisories/GHSA-r2h2-g46h-8mx8
github.com/pretix/pretix
github.com/pretix/pretix/commit/4b5651862c57c6e384822d1d23292342126c479a
nvd.nist.gov/vuln/detail/CVE-2025-14881
pretix.eu/about/en/blog/20251219-release-2025-10-1

Code Behaviors & Features

Detect and mitigate CVE-2025-14881 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →