CVE-2026-6375

HIGH

Authorization bypass through User-Controlled key in SpiceJet Online Booking System

Title source: cna

Description

A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access.

References (1)

https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-04

Scores

CVSS v4 8.7

EPSS 0.0007

EPSS Percentile 20.1%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (1)

SpiceJet/Online Booking System All

Published Apr 23, 2026

Tracked Since Apr 24, 2026