CVE-2026-6376 PUBLISHED

Missing authentication for critical function in SpiceJet Online Booking System

Assigner: icscert
Reserved: 15.04.2026 Published: 23.04.2026 Updated: 23.04.2026

A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user who can obtain or guess those basic inputs. The issue arises from improper access control on a sensitive data retrieval function.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	SpiceJet
Product	Online Booking System
Versions	Default: unaffected Version All is affected

Credits

Owais Shaikh reported these vulnerabilities to CISA. finder

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-04

Problem Types

CWE-306 Missing authentication for critical function CWE