PyPI: indico
CVE-2026-28352
Safety vulnerability ID: SFTY-20260301-56657
Safety legacy ID: pyup.io-88011
Affected versions of the Indico package are vulnerable to Improper Access Control due to a missing access check on the event series management API. The indico.modules.events.series.controllers.RHEventSeries request handler exposes the /event-series/ and /event-series/<series_id> endpoints (including GET, PATCH, and DELETE) without consistently enforcing authorisation via RHProtected._check_access() and EventSeries.can_manage().
Overview
Indico has a missing access check in the event series management API
Advisory
Affected versions of the Indico package are vulnerable to Improper Access Control due to a missing access check on the event series management API. The indico.modules.events.series.controllers.RHEventSeries request handler exposes the /event-series/ and /event-series/<series_id> endpoints (including GET, PATCH, and DELETE) without consistently enforcing authorisation via RHProtected._check_access() and EventSeries.can_manage().
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260301-56657/CVE-2026-28352
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28352
- https://github.com/advisories/GHSA-rfpp-2hgm-gp5v
- https://github.com/indico/indico/security/advisories/GHSA-rfpp-2hgm-gp5v
- https://nvd.nist.gov/vuln/detail/CVE-2026-28352
- https://github.com/indico/indico/releases/tag/v3.3.11
- https://github.com/advisories/GHSA-rfpp-2hgm-gp5v
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more