CISA 2026-04-23

SpiceJet Online Booking System

Machine-generated analysis · WAYSCloud LLM

SpiceJet's online booking system allows unauthenticated access to passenger name records and booking details. The vendor did not coordinate with CISA on remediation.

Context

The affected product is SpiceJet's Online Booking System, used in the transportation sector worldwide. The advisory states that two vulnerabilities allow unauthenticated attackers to retrieve passenger records and booking details through predictable identifiers and missing authentication checks. The vendor did not respond to CISA's coordination requests, leaving users without official mitigation guidance.

Operator considerations

Check: Inventory any use of SpiceJet Online Booking System.
Isolate: Restrict network access to SpiceJet booking endpoints if possible.
Patch: Contact SpiceJet directly for potential mitigation at https://corporate.spicejet.com/contactus.aspx.

From Cybersecurity and Infrastructure Security Agency ↗

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information.

The following versions of SpiceJet Online Booking System are affected:

Online Booking System vers:all/* (CVE-2026-6375, CVE-2026-6376)

Vendor

Equipment

SpiceJet

SpiceJet Online Booking System

Authorization Bypass Through User-Controlled Key, Missing Authentication for Critical Function

Critical Infrastructure Sectors: Transportation Systems

Countries/Areas Deployed: Worldwide

Company Headquarters Location: India

A vulnerability in SpiceJet's booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended...

Read the full advisory on CISA →