This vulnerability involves an authorization bypass (CWE-639) in SpiceJet's booking API, where unauthenticated users can query PNRs without access control. Because PNR identifiers follow a predictable pattern, attackers can enumerate valid passenger records and obtain sensitive passenger name information. The root cause is the absence of authorization checks on an API endpoint designed for authenticated user profile access. The CVSS 4.0 base score is 8.7 (high severity), reflecting network attack vector, no privileges required, no user interaction, and high impact on confidentiality. No patch or remediation level is currently documented.

The vulnerability allows unauthorized disclosure of passenger name records by enabling unauthenticated users to systematically enumerate and access PNR data. This compromises passenger privacy and could lead to further targeted attacks or identity misuse. There is no indication of integrity or availability impact. No known exploits in the wild have been reported so far.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected API endpoint through network controls or implement custom authorization checks if possible. Monitor for suspicious activity related to PNR enumeration attempts.