Vulnerability Description
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint. The impact of this is limited to getting the metadata (title, category chain, start/end date) for events in an existing series, deleting an existing event series, and modifying an existing event series. This vulnerability does NOT allow unauthorized access to events (beyond the basic metadata mentioned above), nor any kind of tampering with user-visible data in events. Version 3.3.11 fixes the issue. As a workaround, use the webserver to restrict access to the series management API endpoint.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cern | Indico | < 3.3.11 |
Related Weaknesses (CWE)
References
- https://github.com/indico/indico/releases/tag/v3.3.11ProductRelease Notes
- https://github.com/indico/indico/security/advisories/GHSA-rfpp-2hgm-gp5vMitigationPatchVendor Advisory
FAQ
What is CVE-2026-28352?
CVE-2026-28352 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an...
How severe is CVE-2026-28352?
CVE-2026-28352 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28352?
Check the references section above for vendor advisories and patch information. Affected products include: Cern Indico.