PatchSiren cyber security CVE debrief
CVE-2026-6376 Raw CVE debrief
CVE-2026-6376 describes an unauthenticated information-disclosure issue in SpiceJet’s public booking retrieval flow. Per CISA’s advisory, a user who knows or can guess a PNR and last name may retrieve full passenger booking details without authentication or additional verification, exposing sensitive personal, travel, and booking metadata. The issue is scored CVSS 3.1 7.5 (HIGH) and is accompanied in the source by SSVCv2 E:N/A:Y.
- Vendor
- Raw
- Product
- SpiceJet Online Booking System vers:all/*
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-23
- Original CVE updated
- 2026-04-23
- Advisory published
- 2026-04-23
- Advisory updated
- 2026-04-23
Who should care
SpiceJet web and application security teams, booking-platform owners, privacy and compliance teams, and incident responders responsible for customer-data exposure and public-facing retrieval portals.
Technical summary
The advisory describes a network-reachable booking lookup function that lacks proper access control. Using only a PNR and last name, an unauthenticated requester can access full passenger booking details and associated metadata. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating high confidentiality impact with no integrity or availability impact. The source also includes an SSVC note of E:N/A:Y dated 2026-04-22T06:00:00Z.
Defensive priority
High. This is a public-facing, unauthenticated data exposure affecting sensitive customer information, so it should be treated as an urgent access-control and privacy-risk issue.
Recommended defensive actions
- Disable or tightly gate the public booking-retrieval function until server-side authentication and authorization are enforced.
- Replace PNR-plus-last-name lookup with stronger verification and minimize the data returned to only what is operationally necessary.
- Add monitoring and logging for booking-lookup activity, including repeated or high-volume queries that may indicate enumeration.
- Review whether customer booking data was exposed and follow internal privacy, legal, and incident-response procedures as appropriate.
- Coordinate with SpiceJet using the published contact path and track remediation status before re-enabling any public retrieval capability.
Evidence notes
Based on CISA CSAF advisory ICSA-26-113-04 and its source JSON, both published on 2026-04-23, which state that SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed with only a PNR and last name and no authentication or verification. The source metadata also notes that SpiceJet did not respond to CISA’s coordination requests. No exploitation report or KEV listing is present in the supplied corpus.
Official resources
-
CVE-2026-6376 CVE record
CVE.org
-
CVE-2026-6376 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2026-04-23 as ICSA-26-113-04 / CVE-2026-6376. The supplied source set does not indicate KEV inclusion or documented exploitation.