CVE-2026-28352

Name of the Vulnerable Software and Affected Versions Indico versions prior to 3.3.11

Description Indico, an event management system utilizing Flask-Multipass, contains a flaw in the API endpoint responsible for managing event series. This endpoint lacks a necessary access check, potentially allowing unauthorized access. The impact is limited to retrieving metadata (title, category chain, start/end date) for event series, deleting existing series, and modifying existing series. This does not grant unauthorized access to events themselves or allow tampering with user-visible event data. The affected API endpoint is '/api/v1/event series'.

Recommendations Update to version 3.3.11 or later. As a workaround, restrict access to the series management API endpoint using the webserver.