
A security researcher armed with Anthropic's Claude says he found a bug in the ticketing system that sells passes to some of the country's biggest music festivals, and that the flaw could have let someone generate unlimited VIP or complimentary tickets, including a Bonnaroo platinum pass priced at roughly $4,000. He says he reported the problem responsibly and did not actually issue or redeem any tickets while testing. Front Gate Tickets, the platform owned by Live Nation that powers checkout and on-site scanning for events such as Austin City Limits, Lollapalooza and EDC, says it has now fixed the vulnerability.
Researcher's writeup
In a detailed post, security researcher Ian Carroll says he discovered an unauthenticated SQL injection bug in Front Gate Tickets' device API that allowed him to read more than 500 database tables, including staff credentials and live password-reset tokens, and to use a boolean oracle to confirm administrative access. Carroll's writeup includes a step-by-step reproduction and a timeline showing he disclosed the flaw to Front Gate on April 25 and that the vendor confirmed remediation the next day, according to Ian Carroll.
How Claude factored in
Carroll told WIRED that his first exploit attempts were blocked by Front Gate's web-application firewall. According to Carroll, Claude Opus 4.7 then generated a nested-subquery payload that slipped past the filter and completed the exploit chain. Anthropic's Opus 4.7 release notes say the model ships with automated safeguards for high-risk cybersecurity uses and that the company runs a Cyber Verification Program to give vetted defenders expanded capabilities, per Anthropic.
Vendor response and patching
Carroll's timeline shows he reported the issue to Front Gate and Live Nation on April 25 and that the company confirmed the issue was resolved by April 26. He says he stopped after confirming impact and did not read records beyond what was needed to prove the flaw, according to Ian Carroll. In security terms, this was a close call, not a free-ticket bonanza.
What Front Gate and reporters say
Front Gate told reporters that it found no evidence the flaw had been exploited in the wild and that any fraudulent tickets would leave an audit trail and be canceled before they could be used, as reported by Cybernews. WIRED also reports that Front Gate noted many high-value VIP packages rely on RFID wristbands that cannot be generated through the online system, which would limit some kinds of fraud even if the bug had been abused.
Why security teams are watching
Security experts say the episode is a useful preview of how more capable coding-and-reasoning AIs can accelerate exploit development by crafting evasive payloads that defeat standard filters. That reality ramps up pressure on ticketing platforms and festival operators to harden their defenses, including stronger input validation, tighter token hygiene and multi-factor protections for administrative access.
For festival-goers, the practical takeaway is straightforward: keep an eye out for official notices from event organizers and be wary of unexpected password resets or unfamiliar account activity. The incident is a reminder that as AI tools get better at writing and debugging code, companies that run critical consumer systems need faster, more thorough security testing and clearer disclosure channels for independent researchers who stumble onto expensive problems before the bad guys do.









