🎯Basically, hackers can see private flight details without permission.
What Happened
SpiceJet's Online Booking System has been found to have two serious vulnerabilities, CVE-2026-6375 and CVE-2026-6376. These flaws allow unauthorized users to access sensitive passenger information, including names and booking details, without any authentication.
The Flaw
- CVE-2026-6375: This vulnerability in SpiceJet's booking API enables unauthenticated users to query Passenger Name Records (PNRs). Since PNR identifiers follow a predictable pattern, attackers can systematically enumerate valid records, exposing passenger names and associated data.
- CVE-2026-6376: This weakness on the public booking retrieval page allows access to full passenger booking details using just a PNR and last name. This lack of authentication means that any user can potentially access extensive personal and travel information.
What's at Risk
The vulnerabilities pose a high risk to passengers as their personal and travel data could be accessed by malicious actors. Given the nature of the data involved, this could lead to identity theft or other forms of exploitation.
Patch Status
Currently, SpiceJet has not coordinated with CISA regarding remediation efforts. Users are encouraged to contact SpiceJet directly for more information on how to secure their data.
Immediate Actions
Containment
- 1.Reach out to SpiceJet: If you are a user of the Online Booking System, contact SpiceJet for guidance on mitigating these vulnerabilities.
- 2.Monitor your data: Be vigilant about any suspicious activity related to your travel bookings or personal information.
Remediation
Conclusion
The discovery of these vulnerabilities highlights the importance of robust security measures in online booking systems. Users must remain informed and proactive in protecting their sensitive information.
🔒 Pro insight: The predictable nature of PNR identifiers significantly increases the risk of systematic data breaches in online booking systems.
