PatchSiren cyber security CVE debrief
CVE-2026-6375 Raw CVE debrief
CVE-2026-6375 describes a missing-authorization flaw in SpiceJet’s online booking system. According to the CISA CSAF advisory published on 2026-04-23, an unauthenticated attacker can query passenger name records (PNRs) and obtain associated passenger names because the booking API does not enforce access controls on an endpoint intended for authenticated profile access. The advisory also notes that PNR identifiers are predictable, which increases the practical risk of systematic enumeration. The issue is scored CVSS 3.1 7.5 (HIGH) and maps to CWE-639 (Authorization Bypass Through User-Controlled Key).
- Vendor
- Raw
- Product
- SpiceJet Online Booking System vers:all/*
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-23
- Original CVE updated
- 2026-04-23
- Advisory published
- 2026-04-23
- Advisory updated
- 2026-04-23
Who should care
Security teams responsible for web applications, booking or reservation platforms, identity and access control, API security, and data privacy should prioritize this issue. Operations, incident response, and compliance teams should also care because the flaw exposes passenger data through an internet-facing service.
Technical summary
The source advisory says the booking API lacks authorization checks, allowing unauthenticated queries for PNRs. Because the identifiers follow a predictable pattern, an attacker could enumerate valid records rather than needing prior access. The impact described in the source is confidentiality loss: passenger names tied to PNRs may be disclosed. The provided CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, consistent with network-reachable, low-complexity, unauthenticated information disclosure.
Defensive priority
High. The issue is externally reachable, requires no authentication, and directly exposes personal data. Treat it as a priority exposure review for any affected booking or customer-profile API surface.
Recommended defensive actions
- Restrict the affected endpoint to authenticated, authorized users only.
- Verify authorization on every PNR lookup and ensure access is bound to the requesting account or trusted support workflow.
- Remove or randomize any predictable identifier patterns where feasible, and do not rely on obscurity as a control.
- Add rate limiting, anomaly detection, and logging for repeated PNR lookup attempts and enumeration patterns.
- Review exposed booking and profile APIs for similar missing-authentication or missing-authorization flaws.
- Coordinate with SpiceJet using the contact information provided in the advisory if you operate or integrate with the affected system.
Evidence notes
All claims in this debrief are taken from the supplied CISA CSAF source item for ICSA-26-113-04 / CVE-2026-6375 and its listed references. The source states the flaw affects SpiceJet’s online booking system, that unauthenticated PNR queries are possible, that identifiers are predictable, and that SpiceJet did not respond to CISA’s coordination requests. The source also provides the CVSS vector and CWE-639 reference.
Official resources
-
CVE-2026-6375 CVE record
CVE.org
-
CVE-2026-6375 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-04-23. The source notes that SpiceJet did not respond to CISA’s coordination requests. The debrief reflects only the published advisory content and associated official references.