Description
A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access.
Published: 2026-04-23
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Data disclosure of passenger name records
Action: Immediate patch
AI Analysis

Impact

The vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) because the endpoint lacks proper authorization checks. This flaw enables the disclosure of sensitive passenger information, violating privacy and potentially exposing personal data to malicious actors. The weakness is a classic example of missing access control (CWE-639).

Affected Systems

SpiceJet Online Booking System. No specific product version or configuration details are provided, but the affected component is the public-facing API that serves PNR data to any requester.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. The EPSS score of less than 1% signals a low but non‑zero exploitation probability in the current environment. The vulnerability is not listed in CISA’s KEV catalog, meaning it has not yet been registered as a known exploited vulnerability. Attackers can exploit this flaw purely by sending requests to the exposed API, using predictable PNR identifiers to enumerate and retrieve passenger names. The attack requires no authentication and no special privileges, so it can be automated and carried out by any user with internet access to the booking system.

Generated by OpenCVE AI on April 28, 2026 at 07:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or update the SpiceJet Online Booking System to the latest version.
  • Enforce strict authorization controls on all API endpoints, ensuring that only authenticated and authorized users can access PNR data.
  • Implement rate limiting, monitoring, and logging for all requests to the booking API to detect and mitigate automated enumeration attempts.

Generated by OpenCVE AI on April 28, 2026 at 07:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Spicejet
Spicejet online Booking System
Vendors & Products Spicejet
Spicejet online Booking System

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access.
Title Authorization bypass through User-Controlled key in SpiceJet Online Booking System
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Spicejet Online Booking System
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-24T18:19:59.492Z

Reserved: 2026-04-15T16:31:31.228Z

Link: CVE-2026-6375

cve-icon Vulnrichment

Updated: 2026-04-24T15:51:55.010Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-23T21:16:06.370

Modified: 2026-04-24T14:50:56.203

Link: CVE-2026-6375

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:25:46Z

Weaknesses