CVE-2026-28352 (GCVE-0-2026-28352)
Vulnerability from cvelistv5 – Published: 2026-02-27 21:01 – Updated: 2026-03-03 20:29
VLAI?
Title
Indico missing access check in event series management API
Summary
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint. The impact of this is limited to getting the metadata (title, category chain, start/end date) for events in an existing series, deleting an existing event series, and modifying an existing event series. This vulnerability does NOT allow unauthorized access to events (beyond the basic metadata mentioned above), nor any kind of tampering with user-visible data in events. Version 3.3.11 fixes the issue. As a workaround, use the webserver to restrict access to the series management API endpoint.
Severity ?
6.5 (Medium)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28352",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-03T20:29:12.418888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T20:29:18.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "indico",
"vendor": "indico",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint. The impact of this is limited to getting the metadata (title, category chain, start/end date) for events in an existing series, deleting an existing event series, and modifying an existing event series. This vulnerability does NOT allow unauthorized access to events (beyond the basic metadata mentioned above), nor any kind of tampering with user-visible data in events. Version 3.3.11 fixes the issue. As a workaround, use the webserver to restrict access to the series management API endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T21:01:45.740Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/indico/indico/security/advisories/GHSA-rfpp-2hgm-gp5v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/indico/indico/security/advisories/GHSA-rfpp-2hgm-gp5v"
},
{
"name": "https://github.com/indico/indico/releases/tag/v3.3.11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/indico/indico/releases/tag/v3.3.11"
}
],
"source": {
"advisory": "GHSA-rfpp-2hgm-gp5v",
"discovery": "UNKNOWN"
},
"title": "Indico missing access check in event series management API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28352",
"datePublished": "2026-02-27T21:01:45.740Z",
"dateReserved": "2026-02-26T18:38:13.890Z",
"dateUpdated": "2026-03-03T20:29:18.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-28352",
"date": "2026-04-17",
"epss": "0.00026",
"percentile": "0.07177"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-28352\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-27T21:16:19.323\",\"lastModified\":\"2026-03-03T18:31:21.570\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint. The impact of this is limited to getting the metadata (title, category chain, start/end date) for events in an existing series, deleting an existing event series, and modifying an existing event series. This vulnerability does NOT allow unauthorized access to events (beyond the basic metadata mentioned above), nor any kind of tampering with user-visible data in events. Version 3.3.11 fixes the issue. As a workaround, use the webserver to restrict access to the series management API endpoint.\"},{\"lang\":\"es\",\"value\":\"Indico es un sistema de gesti\u00f3n de eventos que utiliza Flask-Multipass, un sistema de autenticaci\u00f3n multi-backend para Flask. En versiones anteriores a la 3.3.11, el endpoint de la API utilizado para gestionar series de eventos carece de una verificaci\u00f3n de acceso, permitiendo acceso no autenticado/no autorizado a este endpoint. El impacto de esto se limita a obtener los metadatos (t\u00edtulo, cadena de categor\u00eda, fecha de inicio/fin) para eventos en una serie existente, eliminar una serie de eventos existente y modificar una serie de eventos existente. Esta vulnerabilidad NO permite acceso no autorizado a eventos (m\u00e1s all\u00e1 de los metadatos b\u00e1sicos mencionados anteriormente), ni ning\u00fan tipo de manipulaci\u00f3n de datos visibles para el usuario en los eventos. La versi\u00f3n 3.3.11 corrige el problema. Como soluci\u00f3n alternativa, utilice el servidor web para restringir el acceso al endpoint de la API de gesti\u00f3n de series.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cern:indico:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.3.11\",\"matchCriteriaId\":\"85C78415-FE1D-48C2-9C1C-1B12AADFAFAC\"}]}]}],\"references\":[{\"url\":\"https://github.com/indico/indico/releases/tag/v3.3.11\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/indico/indico/security/advisories/GHSA-rfpp-2hgm-gp5v\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Patch\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28352\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-03T20:29:12.418888Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-03T20:29:15.850Z\"}}], \"cna\": {\"title\": \"Indico missing access check in event series management API\", \"source\": {\"advisory\": \"GHSA-rfpp-2hgm-gp5v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"indico\", \"product\": \"indico\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.3.11\"}]}], \"references\": [{\"url\": \"https://github.com/indico/indico/security/advisories/GHSA-rfpp-2hgm-gp5v\", \"name\": \"https://github.com/indico/indico/security/advisories/GHSA-rfpp-2hgm-gp5v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/indico/indico/releases/tag/v3.3.11\", \"name\": \"https://github.com/indico/indico/releases/tag/v3.3.11\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint. The impact of this is limited to getting the metadata (title, category chain, start/end date) for events in an existing series, deleting an existing event series, and modifying an existing event series. This vulnerability does NOT allow unauthorized access to events (beyond the basic metadata mentioned above), nor any kind of tampering with user-visible data in events. Version 3.3.11 fixes the issue. As a workaround, use the webserver to restrict access to the series management API endpoint.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306: Missing Authentication for Critical Function\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-27T21:01:45.740Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-28352\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-03T20:29:18.718Z\", \"dateReserved\": \"2026-02-26T18:38:13.890Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-27T21:01:45.740Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…