Vulnerability Description
A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user who can obtain or guess those basic inputs. The issue arises from improper access control on a sensitive data retrieval function.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-6376?
CVE-2026-6376 is a documented vulnerability. A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This res...
How severe is CVE-2026-6376?
CVSS scoring is not yet available for CVE-2026-6376. Check NVD for updates.
Is there a patch for CVE-2026-6376?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.