The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory regarding two security vulnerabilities in the SpiceJet Online Booking System. Tracked as CVE-2026-6375 and CVE-2026-6376, these flaws affect the airline's web-based booking platform and could allow attackers to access sensitive passenger data, including Passenger Name Records (PNR).

The Vulnerabilities at a Glance

CVE-2026-6375 and CVE-2026-6376 are both classified as improper access control vulnerabilities. They reside in the booking system's backend, where user authentication and authorization checks are insufficiently enforced. An unauthenticated attacker can exploit these flaws by crafting special HTTP requests, bypassing login screens and directly accessing internal endpoints that should be restricted to authorized personnel.

The vulnerabilities enable the disclosure of PNR data, which typically includes passenger names, flight details, contact information, and sometimes payment data. In the wrong hands, this information could be used for identity theft, phishing attacks, or even physical stalking.

Technical Breakdown

According to CISA's advisory, the flaws are present in versions of the SpiceJet Online Booking System prior to the latest security patch. The exact affected version numbers were not disclosed, but the agency urges all users and administrators to apply updates immediately.

CVE-2026-6375 involves a direct object reference vulnerability. The system fails to validate whether a user has permission to access a specific PNR record. An attacker can simply enumerate PNR numbers in API calls and retrieve booking details without authentication.

CVE-2026-6376 is a more generalized authorization bypass. It allows an attacker to access administrative functions or endpoints that should require elevated privileges. By manipulating URL parameters or HTTP headers, an attacker can trigger backend processes that return passenger data.

Potential Impact on Passengers

If exploited, these vulnerabilities could have serious consequences for travelers. PNR data is a goldmine for cybercriminals. With flight details and personal information, an attacker could cancel or modify bookings, request refunds, or even impersonate the passenger to gain access to frequent flyer accounts.

Moreover, leaked contact details could lead to targeted phishing emails or SMS messages that appear to come from SpiceJet, tricking victims into revealing credit card numbers or login credentials.

CISA's Response and Recommendations

CISA has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling that there is evidence of active exploitation or a high risk of it. Federal agencies are required to remediate the flaws by a specific deadline, but the advisory also strongly recommends that private sector organizations using the SpiceJet booking system take immediate action.

The agency advises:
- Apply the latest security patches provided by SpiceJet.
- Implement network segmentation to limit exposure of the booking system.
- Enable robust logging and monitoring to detect unauthorized access attempts.
- Conduct a thorough review of access controls and user permissions.

SpiceJet's Response

SpiceJet has acknowledged the vulnerabilities and released a security update. The airline's official statement emphasizes that no customer data has been compromised to date, but urges passengers to remain vigilant. SpiceJet has also notified relevant aviation authorities and is cooperating with cybersecurity researchers.

The Bigger Picture

This incident highlights a persistent problem in the travel industry: legacy booking systems often rely on outdated security models. The shift to cloud-based platforms and API-driven architectures has introduced new attack surfaces, and many airlines are still catching up.

Passengers can protect themselves by using unique passwords for booking accounts, enabling two-factor authentication where available, and monitoring their accounts for suspicious activity. However, the onus remains on airlines to secure the underlying systems.

Conclusion

CISA's advisory on SpiceJet's booking flaws is a stark reminder that even well-known airlines can harbor critical vulnerabilities. With CVE-2026-6375 and CVE-2026-6376, the window for attackers is narrow—but real. Passengers should stay informed and apply best practices, while the industry must prioritize security over convenience.