Unauthorized Data Access in SpiceJet's Booking API
CVE-2026-6375

8.7HIGH

Key Information:

Vendor: Spicejet
Status: Online Booking System
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-6375?

A flaw in SpiceJet’s booking API allows unauthorized users to access passenger name records (PNRs) by lacking appropriate access controls. This vulnerability enables attackers to systematically query PNRs due to the predictable nature of their identifiers, making it possible to retrieve sensitive passenger information without proper authorization. The issue arises from insufficient checks on an endpoint designed for authenticated access, exposing user data to potential exploitation.

Affected Version(s)

Online Booking System All

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-1...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Owais Shaikh reported these vulnerabilities to CISA.

CVE-2026-6375 Data

JSON

Spicejet

What is CVE-2026-6375?

Affected Version(s)

References

CVSS V4

Timeline

Credit