Platform
python
Component
indico
Fixed in
3.3.12
3.3.11
CVE-2026-28352 describes an authorization bypass vulnerability in indico, a web-based event and conference management system. This flaw allows unauthenticated or unauthorized users to access and manipulate event series metadata. Versions of indico prior to 3.3.11 are affected, and a fix has been released in version 3.3.11.
The vulnerability lies within the API endpoint responsible for managing event series. Due to a missing access check, attackers can bypass authentication and authorization controls. While the impact is considered limited, it still presents a security risk. Attackers can retrieve metadata such as the event series title, category chain, and start/end dates. More concerningly, they can delete existing event series, removing links between events and potentially altering event titles. Modification of the series metadata, such as toggling display options, is also possible. This could disrupt event organization and potentially lead to confusion among participants.
This CVE was publicly disclosed on 2026-03-01. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. No public proof-of-concept (PoC) code has been released. The vulnerability's limited impact may reduce the likelihood of widespread exploitation.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28352 is to upgrade indico to version 3.3.11 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective due to the nature of the vulnerability, restricting access to the affected API endpoint based on user roles and authentication status can provide some protection. Thoroughly review user permissions and ensure that only authorized users have access to event series management functions. After upgrading, confirm the fix by attempting to access the event series management API endpoint without proper authentication; access should be denied.
Update Indico to version 3.3.11 or higher. Alternatively, configure the web server to restrict access to the event series management API endpoint.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28352 is a medium-severity authorization bypass vulnerability affecting indico versions up to 3.3.9. It allows unauthorized users to access and modify event series metadata.
You are affected if you are running indico version 3.3.9 or earlier. Upgrade to version 3.3.11 or later to mitigate the vulnerability.
The recommended fix is to upgrade indico to version 3.3.11 or later. If immediate upgrade is not possible, restrict access to the affected API endpoint based on user roles.
There is currently no evidence of active exploitation of CVE-2026-28352, and no public proof-of-concept code is available.
Please refer to the official indico security advisories on their website for the most up-to-date information and announcements regarding CVE-2026-28352.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.