CVE-2026-6375

UNKNOWN 0.0

Authorization bypass through User-Controlled key in SpiceJet Online Booking System

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access.

CWE	CWE-639
Vendor	spicejet
Product	online booking system
Published	Apr 23, 2026
Last Updated	Apr 23, 2026

Stay Ahead of the Next One

Get instant alerts for spicejet online booking system

Be the first to know when new unknown vulnerabilities affecting spicejet online booking system are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

SpiceJet / Online Booking System

All

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cisa.gov: https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-04

Credits

Owais Shaikh reported these vulnerabilities to CISA.