CVE-2026-6376
Description
A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user who can obtain or guess those basic inputs. The issue arises from improper access control on a sensitive data retrieval function.
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Other References
Frequently Asked Questions
What is CVE-2026-6376? +
How do I check if I'm vulnerable to CVE-2026-6376? +
Related Vulnerabilities
An improper access control vulnerability in the canonical-livepatch snap client prior to version 10.15.0 allows a local unprivileged user to …
Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT …
A Missing Authentication for Critical Function vulnerability in the GRUB configuration used B&R APROL <4.4-01 may allow an unauthenticated physical …
Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that …
A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 …
A file handling command vulnerability in certain versions of Armoury Crate may result in arbitrary file deletion. Refer to the …