CVE 8.7 HIGH

Missing authentication for critical function in SpiceJet Online Booking System_CVE-2026-6376

April 23, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user who can obtain or guess those basic inputs. The issue arises from improper access control on a sensitive data retrieval function.

AI Analysis

Improper access control vulnerability in SpiceJet Online Booking System allows unauthorized access to passenger booking details

Basic Information

ID CVE-2026-6376

Source icscert

Published Apr 23, 2026 at 20:10

Modified Apr 23, 2026 at 20:12

Affected Product

Vendor SpiceJet

Product Online Booking System

Version All

Affected Versions SpiceJet Online Booking System All

CWE Classification

CWE-306

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor SpiceJet

Product Online Booking System

Version All

References

www.cisa.gov /news-events/ics-advisories/icsa-26-113-04

{
    "lastseen": "",
    "description": "A weakness in SpiceJet\u2019s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user who can obtain or guess those basic inputs. The issue arises from improper access control on a sensitive data retrieval function.",
    "published": "2026-04-23T20:10:19.689Z",
    "modified": "2026-04-23T20:12:15.862Z",
    "type": "cve",
    "title": "Missing authentication for critical function in SpiceJet Online Booking System",
    "source": "icscert",
    "references": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-04",
    "id": "CVE-2026-6376",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "SpiceJet Online Booking System All",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Online Booking System",
    "version": "All",
    "vendor": "SpiceJet",
    "ai_description": "Improper access control vulnerability in SpiceJet Online Booking System allows unauthorized access to passenger booking details",
    "ai_severity": "High",
    "ai_vendor": "SpiceJet",
    "ai_product": "Online Booking System",
    "ai_version": "All",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply