anonhaven
Ad

CVE-2026-28352

MEDIUM CVSS 3.1: 6.5 EPSS 0.03%
Updated Feb 27, 2026
Flask
Parameter Value
CVSS 6.5 (MEDIUM)
Affected Versions before 3.3.11
Type CWE-306 (Missing Authentication for Critical Function)
Vendor Flask
Public PoC No

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint. The impact of this is limited to getting the metadata (title, category chain, start/end date) for events in an existing series, deleting an existing event series, and modifying an existing event series.

This vulnerability does NOT allow unauthorized access to events (beyond the basic metadata mentioned above), nor any kind of tampering with user-visible data in events. Version 3.3.11 fixes the issue. As a workaround, use the webserver to restrict access to the series management API endpoint.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-306 Missing Authentication for Critical Function

References 2

https://github.com/indico/indico/releases/tag/v3.3.11
security-advisories@github.com
https://github.com/indico/indico/security/advisories/GHSA-rfpp-2hgm-gp5v
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-40112

Flask

6.1

CVE-2026-40035

Flask

9.3

CVE-2026-35490

Flask

9.8

CVE-2026-5577

Flask

6.9

CVE-2026-5321

Flask

5.3