CVE-2025-14882: pretix has Broken Access Control Allowing Cross-User File Access via UUID

December 19, 2025 (updated December 20, 2025)

An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

References

github.com/advisories/GHSA-pmjj-h5jm-vxh4
github.com/pretix/pretix
github.com/pretix/pretix/commit/4b5651862c57c6e384822d1d23292342126c479a
nvd.nist.gov/vuln/detail/CVE-2025-14882
pretix.eu/about/en/blog/20251219-release-2025-10-1

Code Behaviors & Features

Detect and mitigate CVE-2025-14882 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →