CVE-2026-6375

Vulnerability Description

A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access.

Related Weaknesses (CWE)

CWE-639

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-04

FAQ

What is CVE-2026-6375?

CVE-2026-6375 is a documented vulnerability. A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an atta...

How severe is CVE-2026-6375?

CVSS scoring is not yet available for CVE-2026-6375. Check NVD for updates.

Is there a patch for CVE-2026-6375?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.