CVE-2026-6375 | THREATINT

Description

A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access.

PUBLISHED Reserved 2026-04-15 | Published 2026-04-23 | Updated 2026-04-23 | Assigner icscert

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-639 Authorization bypass through User-Controlled key

Product status

Default status

unaffected

All

affected

Credits

Owais Shaikh reported these vulnerabilities to CISA. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-26-113-04

cve.org (CVE-2026-6375)

nvd.nist.gov (CVE-2026-6375)

Download JSON