CVE-2026-28352
Received Received - Intake
Unauthorized Access in Indico Event Series API Prior to

Publication date: 2026-02-27

Last updated on: 2026-03-03

Assigner: GitHub, Inc.

Description
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint. The impact of this is limited to getting the metadata (title, category chain, start/end date) for events in an existing series, deleting an existing event series, and modifying an existing event series. This vulnerability does NOT allow unauthorized access to events (beyond the basic metadata mentioned above), nor any kind of tampering with user-visible data in events. Version 3.3.11 fixes the issue. As a workaround, use the webserver to restrict access to the series management API endpoint.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28352
EUVD
EUVD-2026-9071
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cern indico to 3.3.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28352 is a vulnerability in the Indico event management system affecting versions prior to 3.3.11. It arises because the API endpoint used to manage event series lacks an access check, allowing unauthenticated and unauthorized users to access it.

This flaw lets attackers retrieve metadata about events in a series, such as titles, category chains, and start/end dates. They can also delete or modify event series metadata, like toggling metadata display or setting event title patterns. However, it does not allow access to the actual event content or tampering with user-visible event data.

Impact Analysis

The vulnerability can impact you by allowing unauthorized users to access and manipulate event series metadata without authentication.

  • Unauthorized retrieval of event series metadata such as titles, category chains, and event dates.
  • Deletion of an existing event series, which removes series metadata including links between events and lecture series numbers.
  • Modification of event series metadata, including toggling metadata display and setting event title patterns.

Despite these impacts, the vulnerability does not allow unauthorized access to the actual event content or tampering with user-visible event data, limiting the overall severity.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the vulnerability CVE-2026-28352 in Indico, the primary step is to update Indico to version 3.3.11, which includes the fix for the missing access check in the event series management API endpoint.

As a workaround before updating, you can restrict access to the series management API endpoint at the webserver level to prevent unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28352. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart