Description
Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication.
Severity (CVSS)
| Base score | 8.3 |
|---|---|
| Severity | High |
| Version | CVSS 4.0 |
| Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
| Provided by | CNA |
Weaknesses
- CWE-359 — Exposure of Private Personal Information to an Unauthorized Actor
Affected products
| Vendor | Product | Versions |
|---|---|---|
| HiEventsDev | Hi.Events | 0 to <=1.9.0 |
References
- https://github.com/HiEventsDev/Hi.Events/issues/1224 (technical-description)
- https://github.com/HiEventsDev/Hi.Events/pull/1229 (issue-tracking)
- https://www.vulncheck.com/advisories/hi-events-unauthenticated-attendee-pii-exposure-via-check-in-list-short-id (third-party-advisory)
Generated from the official CVE List on 30 Jun 2026 07:04 UTC.