Plateforme
python
Composant
indico
Corrigé dans
3.3.12
3.3.11
CVE-2026-28352 describes an authorization bypass vulnerability in indico, a web-based event and conference management system. This flaw allows unauthenticated or unauthorized users to access and manipulate event series metadata. Versions of indico prior to 3.3.11 are affected, and a fix has been released in version 3.3.11.
The vulnerability lies within the API endpoint responsible for managing event series. Due to a missing access check, attackers can bypass authentication and authorization controls. While the impact is considered limited, it still presents a security risk. Attackers can retrieve metadata such as the event series title, category chain, and start/end dates. More concerningly, they can delete existing event series, removing links between events and potentially altering event titles. Modification of the series metadata, such as toggling display options, is also possible. This could disrupt event organization and potentially lead to confusion among participants.
This CVE was publicly disclosed on 2026-03-01. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. No public proof-of-concept (PoC) code has been released. The vulnerability's limited impact may reduce the likelihood of widespread exploitation.
Organizations and institutions utilizing indico for event and conference management are at risk, particularly those running versions 3.3.9 or earlier. Shared hosting environments where multiple users have access to the indico instance are also at increased risk, as the vulnerability could be exploited to impact events managed by other users.
• python / server:
# Check for vulnerable indico versions
ps aux | grep 'indico.wsgi' | grep -i '3.3.9'• generic web:
curl -I https://your-indico-instance/api/event_series/ | grep -i 'WWW-Authenticate'• generic web:
# Check for unusual API access patterns in access logs
grep 'api/event_series/' /var/log/apache2/access.log | grep '403' # Look for denied access attemptsdisclosure
Statut de l'Exploit
EPSS
0.02% (percentile 5%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-28352 is to upgrade indico to version 3.3.11 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective due to the nature of the vulnerability, restricting access to the affected API endpoint based on user roles and authentication status can provide some protection. Thoroughly review user permissions and ensure that only authorized users have access to event series management functions. After upgrading, confirm the fix by attempting to access the event series management API endpoint without proper authentication; access should be denied.
Mettez à jour Indico à la version 3.3.11 ou supérieure. Sinon, configurez le serveur web pour restreindre l'accès à l'endpoint de l'API de gestion des séries.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-28352 is a medium-severity authorization bypass vulnerability affecting indico versions up to 3.3.9. It allows unauthorized users to access and modify event series metadata.
You are affected if you are running indico version 3.3.9 or earlier. Upgrade to version 3.3.11 or later to mitigate the vulnerability.
The recommended fix is to upgrade indico to version 3.3.11 or later. If immediate upgrade is not possible, restrict access to the affected API endpoint based on user roles.
There is currently no evidence of active exploitation of CVE-2026-28352, and no public proof-of-concept code is available.
Please refer to the official indico security advisories on their website for the most up-to-date information and announcements regarding CVE-2026-28352.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.