Hi.Events 1.9.0 - Unauthenticated Attendee PII Exposure via Check-in List short_id | Advisories

Advisories

Hi.Events 1.9.0 - Unauthenticated Attendee PII Exposure via Check-in List short_id

severity: high
date: 6/29/2026
Affecting: Hi.Events <= 1.9.0
An affected version range remains undefined
CVE: CVE-2026-57960
CWE: CWE-359 Exposure of Private Personal Information to an Unauthorized Actor
CVSS: 8.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
References: Researcher Disclosure
Pull Request
Credit: George Chen
Description: Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo