CVE-2026-6375
UNKNOWN
NVD
CVSS Score
0
Severity
UNKNOWN
Published
Apr 23, 2026
Vendor
unknown
Description
A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access.