HackWatch
! High riskVU Vulnerability

Critical Vulnerabilities in SpiceJet Online Booking System Expose Passenger Data Globally

Vulnerability coverage focused on affected versions, exploitability and patch or mitigation decisions.

Exploitability matters here. Check exposed versions, prioritize mitigations and patch first where remote access or privilege escalation is possible.
Critical Vulnerabilities in SpiceJet Online Booking System Expose Passenger Data Globally

Editor: Ethan Carter

Published source date: Apr 23, 2026

Last updated: Apr 23, 2026

Incident status: Resolved or patched

Last verified: Apr 23, 2026

Corroborating sources: 1

Resolved or patched. Source coverage indicates that a fix or formal remediation has been published. Verify that updates are applied in your environment.

Ethan Carter is the responsible editor for this article. Leads HackWatch coverage of phishing, active exploitation, breaches and practical response workflows for high-risk cyber incidents. View author profile.

Two high-severity security flaws (CVE-2026-6375 and CVE-2026-6376) in SpiceJet's online booking system allow unauthorized access to passenger personal and booking information. These vulnerabilities enable attackers to enumerate passenger records and retrieve sensitive details without authentication, posing significant privacy and security risks worldwide. This article consolidates official findings from CISA and offers actionable steps for affected users and organizations to mitigate exposure.

# Critical Vulnerabilities in SpiceJet Online Booking System Expose Passenger Data Globally

What happened

On April 23, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) disclosed two critical vulnerabilities affecting the SpiceJet Online Booking System, a widely used platform for flight reservations operated by the Indian airline SpiceJet. These vulnerabilities, tracked as CVE-2026-6375 and CVE-2026-6376, both carry a high severity CVSS score of 7.5 and allow unauthorized users to access sensitive passenger information without any authentication.

The flaws stem from missing authorization and authentication controls on key booking system functions. Specifically, attackers can enumerate passenger name records (PNRs) due to predictable identifiers and retrieve full booking details using only a PNR and last name, bypassing any login or verification mechanisms. This exposes personally identifiable information (PII), travel itineraries, and booking metadata to malicious actors worldwide.

Confirmed facts

  • CVE-2026-6375: An authorization bypass vulnerability in SpiceJet’s booking API permits unauthenticated users to query PNRs without access controls. Because PNRs follow predictable patterns, attackers can systematically enumerate valid records and harvest passenger names. This is a classic case of CWE-639 (Authorization Bypass Through User-Controlled Key).
  • CVE-2026-6376: A missing authentication flaw on the public booking retrieval page allows anyone with a PNR and last name to access full passenger booking details, including personal and travel data. This vulnerability corresponds to CWE-306 (Missing Authentication for Critical Function).
  • Both vulnerabilities affect all versions of the SpiceJet Online Booking System globally.
  • SpiceJet has not responded to CISA’s coordination requests or issued public patches as of the latest advisory.
  • The vulnerabilities have a CVSS v3.1 base score of 7.5, indicating high risk due to remote network access without privileges or user interaction.
  • The advisory recommends minimizing network exposure, isolating booking system components behind firewalls, and using secure remote access methods such as up-to-date VPNs.
  • The vulnerabilities were responsibly disclosed to CISA by security researcher Owais Shaikh.

Who is affected

  • Passengers worldwide who have booked flights through SpiceJet’s online system are at risk of having their personal and travel information exposed.
  • SpiceJet as an organization faces reputational damage, regulatory scrutiny, and potential legal liability due to failure to secure sensitive customer data.
  • Third-party entities relying on SpiceJet’s booking data for travel management or partner services may also be indirectly affected.
  • The vulnerabilities pose a particular threat to travelers with predictable PNRs or those whose booking details can be guessed or harvested by attackers.

What to do now

  • If you have booked flights with SpiceJet recently:
  • Monitor your email and phone for any suspicious communications or phishing attempts referencing your travel.
  • Avoid sharing your PNR or booking details publicly or with untrusted parties.
  • Contact SpiceJet customer support directly for updates on remediation and to inquire about protective measures.
  • For organizations and travel agencies:
  • Advise clients to be cautious about unsolicited requests for booking information.
  • Limit automated queries to SpiceJet’s booking system to prevent abuse.
  • For SpiceJet:
  • Urgently implement access control and authentication mechanisms on all booking system endpoints.
  • Conduct a full security audit and notify affected customers transparently.
  • General users:
  • Be vigilant for phishing scams impersonating SpiceJet or travel agents exploiting this data leak.
  • Use strong, unique passwords for travel-related accounts and enable multi-factor authentication where possible.

How to secure yourself

  • Protect your booking information: Never share your PNR and last name combination publicly or on social media.
  • Verify communications: Confirm that any emails or calls claiming to be from SpiceJet are legitimate before providing personal data.
  • Monitor accounts: Regularly check your email and bank statements for unauthorized activity related to travel bookings.
  • Use secure networks: When accessing travel accounts or booking systems, use trusted devices and secure internet connections.
  • Update credentials: Change passwords for your SpiceJet account and related services if you suspect compromise.
  • Report suspicious activity: Inform SpiceJet and cybersecurity authorities if you detect misuse of your booking information.

2026 update

In 2026, the disclosure of CVE-2026-6375 and CVE-2026-6376 highlighted significant security gaps in airline booking systems, with SpiceJet’s platform serving as a cautionary example. Despite the high risk, SpiceJet’s lack of response to CISA’s coordination efforts underscores ongoing challenges in vendor communication and timely remediation in critical infrastructure sectors like transportation.

The incident has spurred increased regulatory attention on data privacy in aviation and accelerated adoption of stringent authentication protocols across booking platforms globally. It also emphasized the need for airlines to proactively engage with cybersecurity agencies and researchers to address vulnerabilities before exploitation occurs.

FAQ

What is CVE-2026-6375 and how does it affect me?

CVE-2026-6375 is an authorization bypass vulnerability allowing attackers to enumerate passenger name records without authentication, potentially exposing your booking information.

Can someone access my SpiceJet flight details without logging in?

Yes, due to CVE-2026-6376, an attacker with your PNR and last name can retrieve your full booking details without any login or verification.

How can attackers guess my PNR?

PNRs follow predictable patterns, enabling attackers to systematically guess valid codes and access corresponding passenger data.

[AdSense Slot: Article Inline]

Has SpiceJet fixed these vulnerabilities?

As of April 2026, SpiceJet has not publicly issued patches or responded to CISA’s requests for coordination.

What personal information is at risk?

Information such as passenger names, travel itineraries, booking metadata, and potentially contact details are exposed.

Should I cancel my SpiceJet booking?

Not necessarily, but monitor your bookings closely and contact SpiceJet for guidance.

How can I protect my data from these vulnerabilities?

Avoid sharing your PNR publicly, use strong passwords, verify communications, and report suspicious activity.

Is this vulnerability unique to SpiceJet?

While these specific CVEs affect SpiceJet, similar authorization and authentication flaws can exist in other airline booking systems.

What regulatory actions might follow?

Data protection authorities may investigate SpiceJet for compliance failures, potentially resulting in fines or mandated security improvements.

How can airlines prevent such vulnerabilities?

By implementing strict access controls, authentication requirements, regular security audits, and responsive vulnerability management programs.

Why this matters

The SpiceJet vulnerabilities expose millions of travelers worldwide to privacy invasions and identity theft risks. Unauthorized access to booking data can facilitate targeted phishing attacks, fraudulent bookings, and broader identity fraud schemes. The incident underscores the critical importance of robust cybersecurity practices in transportation infrastructure, where data breaches can have cascading effects on passenger safety and trust.

Moreover, the airline’s failure to engage with cybersecurity authorities raises concerns about industry readiness to handle emerging cyber threats. This case serves as a stark reminder that even well-established companies must prioritize security to protect customers and maintain operational integrity.

Sources and corroboration

This article synthesizes information exclusively from the official CISA advisory published on April 23, 2026, available at [CISA ICS Advisory ICSA-26-113-04](https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-04). The vulnerabilities were reported by researcher Owais Shaikh and confirmed by CISA’s analysis. No additional vendor communications or patches have been issued as of the advisory date.

For further details and updates, users are encouraged to visit SpiceJet’s official contact page: https://corporate.spicejet.com/contactus.aspx

---

Tags: [SpiceJet, online booking system, CVE-2026-6375, CVE-2026-6376, data breach, airline cybersecurity, authorization bypass, missing authentication, passenger data exposure, CISA advisory]

Source URLs: [https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-04]

Sources used for this article

cisa.gov

[AdSense Slot: Article Bottom]

Related alerts

Recommended next steps

Readers following this vulnerability alerts story usually need both context and action. Use the tools and recovery pages below to verify exposure, secure accounts and document the incident path.

Scam Checker for Suspicious Messages

Paste suspicious text to review social-engineering markers, urgency patterns and the safest next steps before you interact with the message.

Open guide

Identity Theft Recovery Planner

The planner converts identity-theft exposure into a 24-hour, 72-hour and 7-day response checklist with fraud reporting, documentation and account-hardening priorities.

Open guide

Breach Exposure Checker for Email and Password Reuse Risk

The breach checker turns a suspected exposure into a prioritized action plan covering credential rotation, MFA hardening, account review, fraud monitoring and evidence capture.

Open guide

Incident Report Intake

The incident intake form helps HackWatch collect early reader signals so new phishing and fraud clusters can be reviewed faster and escalated into coverage.

Open guide

Payment fraud alerts

Review invoice scams, wire-fraud attempts, bank impersonation campaigns and payment-diversion coverage.

Open incident hub

Vulnerability alerts

Explore the dedicated category archive to review similar incidents, compare tactics and find additional response coverage tied to this incident type.

Open category archive

Ethan Carter is the responsible editor for this article. Leads HackWatch coverage of phishing, active exploitation, breaches and practical response workflows for high-risk cyber incidents. View author profile.