Broken Access Control in Indico Event Series Management (CVE-2026-28352)
Vulnerability ID: CVE-2026-28352
CVSS Score: 6.5
Published: 2026-03-01
A critical access control vulnerability in the Indico event management system allows unauthenticated attackers to modify or delete event series metadata. The flaw exists in the RHEventSeries handler, which failed to enforce authentication checks or permission validation prior to version 3.3.11.
TL;DR
Indico < 3.3.11 exposes the event series management API without authentication. Attackers can modify series patterns or delete series metadata remotely.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-285 / CWE-306
- CVSS v3.1: 6.5 (Medium)
- Attack Vector: Network
- Privileges Required: None
- Impact: Metadata Modification
- Exploit Status: Proof of Concept
Affected Systems
- Indico Event Management System
-
Indico: < 3.3.11 (Fixed in:
3.3.11)
Code Analysis
Commit: fb6d800
Fix missing access check in event series management
class RHEventSeries(RHProtected):
+ def _check_access(self):
+ RHProtected._check_access(self)
+ if self.series and not self.series.can_manage(session.user):
+ raise Forbidden
Mitigation Strategies
- Software Update
- Access Control List (ACL) configuration
- Web Application Firewall (WAF) filtering
Remediation Steps:
- Identify the current Indico version by checking the administration panel or the
indico --versioncommand. - If the version is below 3.3.11, schedule an immediate maintenance window.
- Upgrade Indico using pip:
pip install --upgrade indico. - Restart the Indico service and the worker processes (Celery) to apply the changes.
- Verify the fix by attempting to access
/event-series/endpoints without a valid session.
References
Read the full report for CVE-2026-28352 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)