Auth bypass in Spicejet Online Booking System

CVE-2026-6376

A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal…

Vulnerability class: Broken Authentication

EPSS: 0.001 (29.3th percentile) — read the EPSS interpretation.

Affected products

Spicejet Online Booking System — versions All

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

www.cisa.gov/news-events/ics-advisories/icsa-26-113-04