Description
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint. The impact of this is limited to getting the metadata (title, category chain, start/end date) for events in an existing series, deleting an existing event series, and modifying an existing event series. This vulnerability does NOT allow unauthorized access to events (beyond the basic metadata mentioned above), nor any kind of tampering with user-visible data in events. Version 3.3.11 fixes the issue. As a workaround, use the webserver to restrict access to the series management API endpoint.
Published: 2026-02-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized metadata exposure and deletion of event series
Action: Immediate Patch
AI Analysis

Impact

Indico, an event management platform built on Flask, omitted an access check on the API endpoint that manages event series. This flaw lets an unauthenticated or unauthorized user read the series title, category chain, and dates; delete an entire series; or modify its details. The attack is limited to manipulating series structure and no direct access to the events themselves or tampering with user‑visible event data. The weakness is a classic case of missing authentication for privileged operations (CWE-306).

Affected Systems

Any Indico deployment running a version earlier than 3.3.11 is affected. The fix was introduced in release 3.3.11 and later. Version 3.3.11 and newer eliminate the missing access check, restoring proper authorization controls for all series‑management actions.

Risk and Exploitability

The CVSS score of 6.5 categorises the vulnerability as moderate, while the EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis. It is not listed in CISA’s KEV catalog, suggesting that large‑scale, widespread attacks are not documented. The likely attack path involves an attacker sending HTTP requests to the series‑management endpoint when it is publicly reachable; no additional credentials are required. Consequently, the risk is primarily to data integrity and availability for the event series themselves, with limited impact on individual event content.

Generated by OpenCVE AI on April 16, 2026 at 15:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Indico installation to version 3.3.11 or later to apply the official patch.
  • Configure the web server or API gateway to restrict unauthenticated or insufficiently privileged access to the series‑management endpoint, ensuring only authorized users can reach it.
  • Verify that the restriction is effective by attempting to access the endpoint with a non‑privileged account and confirming that the request is denied.

Generated by OpenCVE AI on April 16, 2026 at 15:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rfpp-2hgm-gp5v Indico has a missing access check in the event series management API
History

Tue, 03 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Cern
Cern indico
CPEs cpe:2.3:a:cern:indico:*:*:*:*:*:*:*:*
Vendors & Products Cern
Cern indico

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Indico
Indico indico
Vendors & Products Indico
Indico indico

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint. The impact of this is limited to getting the metadata (title, category chain, start/end date) for events in an existing series, deleting an existing event series, and modifying an existing event series. This vulnerability does NOT allow unauthorized access to events (beyond the basic metadata mentioned above), nor any kind of tampering with user-visible data in events. Version 3.3.11 fixes the issue. As a workaround, use the webserver to restrict access to the series management API endpoint.
Title Indico missing access check in event series management API
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Cern Indico
Indico Indico
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T20:29:18.718Z

Reserved: 2026-02-26T18:38:13.890Z

Link: CVE-2026-28352

cve-icon Vulnrichment

Updated: 2026-03-03T20:29:15.850Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T21:16:19.323

Modified: 2026-03-03T18:31:21.570

Link: CVE-2026-28352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:15:39Z

Weaknesses