Weakness in SpiceJet Booking System Exposes Passenger Data
CVE-2026-6376

8.7HIGH

Key Information:

Vendor: Spicejet
Status: Online Booking System
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-6376?

A security flaw in SpiceJet's booking retrieval system allows unauthorized users to access detailed passenger booking information using only a Passenger Name Record (PNR) and last name, bypassing any authentication or verification processes. This significant oversight in access control mechanisms leaves sensitive personal and travel data vulnerable to exposure, enabling anyone with basic information to retrieve extensive booking details.

Affected Version(s)

Online Booking System All

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-1...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Owais Shaikh reported these vulnerabilities to CISA.

CVE-2026-6376 Data

JSON

Spicejet

What is CVE-2026-6376?

Affected Version(s)

References

CVSS V4

Timeline

Credit