Description
A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user who can obtain or guess those basic inputs. The issue arises from improper access control on a sensitive data retrieval function.
Published: 2026-04-23
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of passenger booking data
Action: Patch Now
AI Analysis

Impact

A public booking retrieval page exposed the full passenger booking information when accessed with only a PNR and last name. No authentication or verification protects the function, meaning any Internet user can request detailed passenger, travel, and booking metadata. The flaw stems from improper access control, classified as CWE‑306.

Affected Systems

The affected product is SpiceJet’s Online Booking System. The CVE does not specify a version range, so every deployment of the current online booking application is at risk until an official fix or configuration change is applied. No other vendor or product is listed.

Risk and Exploitability

The vulnerability scores an 8.7 on the CVSSv3 scale, indicating a high impact, and the EPSS score is below 1 %, which means the exploitation probability remains low but still observable. The flaw is not listed in the CISA KEV. Since the data retrieval function is publicly accessible, an attacker only needs the two public inputs—PNR and last name—to extract sensitive data, making exploitation trivial once the inputs are known or guessable.

Generated by OpenCVE AI on April 28, 2026 at 14:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact SpiceJet support to obtain a patch or updated version of the online booking system.
  • Require user authentication and account verification before allowing access to booking details.
  • Implement input validation and enforce strict access controls on the booking retrieval endpoint.

Generated by OpenCVE AI on April 28, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Spicejet
Spicejet online Booking System
Vendors & Products Spicejet
Spicejet online Booking System

Fri, 24 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user who can obtain or guess those basic inputs. The issue arises from improper access control on a sensitive data retrieval function.
Title Missing authentication for critical function in SpiceJet Online Booking System
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Spicejet Online Booking System
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-24T13:52:43.538Z

Reserved: 2026-04-15T16:31:32.165Z

Link: CVE-2026-6376

cve-icon Vulnrichment

Updated: 2026-04-24T13:52:40.522Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-23T21:16:06.507

Modified: 2026-04-24T14:50:56.203

Link: CVE-2026-6376

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:45:16Z

Weaknesses