SpiceJet Online Booking System

MonitorCVSS 7.5ICS-CERT ICSA-26-113-04Apr 23, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The SpiceJet Online Booking System contains authentication and authorization vulnerabilities (CWE-639: Authorization Through User-Controlled Key, CWE-306: Missing Authentication for Critical Function) that allow attackers to disclose sensitive information. Successful exploitation could expose passenger personal data, payment information, and booking records. SpiceJet has not coordinated with CISA and has not released a patch.

What this means

What could happen

An attacker could access sensitive information stored in the booking system, potentially exposing passenger personal data, payment information, or booking details.

Who's at risk

This vulnerability affects any organization or individual using the SpiceJet Online Booking System for airline reservations. Airlines, travel agencies, corporate travel departments, and end passengers who book through this system are at risk of having their personal data, payment information, and travel itineraries exposed.

How it could be exploited

An attacker on the network or with internet access could exploit authentication or authorization weaknesses (CWE-639, CWE-306) to bypass access controls and retrieve sensitive data from the Online Booking System without valid credentials.

Prerequisites

Network access to the SpiceJet Online Booking System (typically internet-facing)
No authentication required

remotely exploitableno authentication requiredlow complexitysensitive data exposure (personal identifiable information)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Online Booking SystemAll versionsNo fix yet

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDContact SpiceJet directly at https://corporate.spicejet.com/contactus.aspx to request security guidance and available mitigations

HARDENINGRestrict access to the SpiceJet Online Booking System to authorized personnel and systems only, using firewall rules or VPN requirements where applicable

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIf operating a system that depends on or integrates with the SpiceJet booking system, implement network monitoring and access logging to detect unauthorized data access attempts

CVEs (2)

CVE-2026-6375 CVE-2026-6376

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9172ae75-dfd0-4a12-ae01-087870fc1c10

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.