CVE-2026-28352 Overview
CVE-2026-28352 is a Missing Authentication for Critical Function (CWE-306) vulnerability affecting CERN Indico, a widely-used event management system built on Flask-Multipass. The vulnerability exists in versions prior to 3.3.11, where the API endpoint responsible for managing event series lacks proper authentication and authorization checks, allowing unauthenticated or unauthorized users to access this critical functionality.
Critical Impact
Unauthorized access to the event series management API allows attackers to retrieve event metadata (title, category chain, start/end dates), delete existing event series, and modify series configurations without authentication.
Affected Products
- CERN Indico versions prior to 3.3.11
- Deployments using Flask-Multipass authentication backend
- Self-hosted and cloud-based Indico installations
Discovery Timeline
- 2026-02-27 - CVE-2026-28352 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2026-28352
Vulnerability Analysis
This vulnerability represents a classic Broken Access Control flaw where the API endpoint used to manage event series operations fails to verify whether the requesting user has appropriate authentication credentials or authorization privileges. The affected endpoint accepts requests without validating session tokens or user permissions, enabling anonymous or low-privileged users to perform administrative actions on event series.
The impact is somewhat contained because the vulnerability only exposes limited event metadata rather than full event content. Attackers cannot access detailed event information, attendee data, or tamper with user-visible event content. However, the ability to delete or modify event series can still cause operational disruption to organizations relying on Indico for event management.
Root Cause
The root cause stems from a missing access control check in the event series management API endpoint. The Flask-based application fails to invoke authentication middleware or authorization decorators before processing requests to this endpoint, allowing the handler to execute without verifying the caller's identity or permissions. This represents a common oversight during API development where security checks implemented on web interface routes may not be consistently applied to API endpoints.
Attack Vector
The attack can be performed remotely over the network without any authentication. An attacker with network access to the Indico instance can directly call the vulnerable API endpoint to:
- Enumerate event metadata - Retrieve basic information about events in a series including titles, category chains, and scheduling data
- Delete event series - Remove existing event series from the system
- Modify event series - Alter configuration and properties of event series
The vulnerability does not require user interaction, and exploitation complexity is low since no authentication bypass techniques are needed—the endpoint simply lacks protection.
Detection Methods for CVE-2026-28352
Indicators of Compromise
- Unusual API requests to event series management endpoints from unauthenticated sessions
- Unexpected modifications or deletions of event series in Indico logs
- API access patterns from IP addresses outside normal administrative user ranges
- High volume of metadata queries against event series endpoints
Detection Strategies
- Monitor web server access logs for requests to the event series API endpoint without valid session cookies
- Implement anomaly detection for series deletion or modification operations
- Enable audit logging for all event series management operations
- Configure alerting for API access from untrusted network sources
Monitoring Recommendations
- Review Indico application logs for unauthorized series management operations
- Monitor for bulk metadata extraction patterns that may indicate reconnaissance
- Establish baseline for legitimate series management API usage patterns
- Implement real-time alerting for any event series deletion events
How to Mitigate CVE-2026-28352
Immediate Actions Required
- Upgrade CERN Indico to version 3.3.11 or later immediately
- Review recent event series modifications and deletions for unauthorized changes
- Audit access logs for evidence of exploitation attempts
- Restrict network access to Indico administrative APIs where possible
Patch Information
CERN has released Indico version 3.3.11 which addresses this vulnerability by implementing proper authentication and authorization checks on the event series management API endpoint. Organizations should upgrade to this version or later to remediate the issue.
For detailed patch information, see the GitHub Release for Indico v3.3.11 and the GitHub Security Advisory GHSA-rfpp-2hgm-gp5v.
Workarounds
- Use webserver configuration (nginx, Apache) to restrict access to the series management API endpoint
- Implement IP-based access controls to limit API access to trusted administrative networks
- Deploy a web application firewall (WAF) rule to block unauthenticated requests to the affected endpoint
- Consider temporarily disabling the series management API if not actively used
# Example nginx configuration to restrict series API access
location /api/series/ {
# Allow only from trusted administrative network
allow 10.0.0.0/8;
allow 192.168.1.0/24;
deny all;
# Or require HTTP Basic Auth as additional layer
# auth_basic "Restricted";
# auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://indico_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
