Auth bypass in Spicejet Online Booking System

CVE-2026-6375

A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate val…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.001 (26.3th percentile) — read the EPSS interpretation.

Affected products

Spicejet Online Booking System — versions All

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

www.cisa.gov/news-events/ics-advisories/icsa-26-113-04