CVE 8.7 HIGH

Authorization bypass through User-Controlled key in SpiceJet Online Booking System_CVE-2026-6375

April 23, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access.

AI Analysis

A vulnerability in the SpiceJet Online Booking System allows unauthorized access to passenger name records due to missing authorization checks.

Basic Information

ID CVE-2026-6375

Source icscert

Published Apr 23, 2026 at 20:07

Modified Apr 23, 2026 at 20:08

Affected Product

Vendor SpiceJet

Product Online Booking System

Version All

Affected Versions SpiceJet Online Booking System All

CWE Classification

CWE-639

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor SpiceJet

Product Online Booking System

Version All

References

www.cisa.gov /news-events/ics-advisories/icsa-26-113-04

{
    "lastseen": "",
    "description": "A vulnerability in SpiceJet\u2019s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access.",
    "published": "2026-04-23T20:07:23.930Z",
    "modified": "2026-04-23T20:08:10.133Z",
    "type": "cve",
    "title": "Authorization bypass through User-Controlled key in SpiceJet Online Booking System",
    "source": "icscert",
    "references": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-04",
    "id": "CVE-2026-6375",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "SpiceJet Online Booking System All",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Online Booking System",
    "version": "All",
    "vendor": "SpiceJet",
    "ai_description": "A vulnerability in the SpiceJet Online Booking System allows unauthorized access to passenger name records due to missing authorization checks.",
    "ai_severity": "High",
    "ai_vendor": "SpiceJet",
    "ai_product": "Online Booking System",
    "ai_version": "All",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply