PYSEC-2026-1460

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/indico/PYSEC-2026-1460.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1460
Aliases
Published
2026-07-07T16:03:04.431161Z
Modified
2026-07-07T17:47:44.643622806Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Indico may disclose unauthorized user details access via legacy API
Details

Impact

A legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a broken access check.

Patches

You should to update to Indico 3.3.8 as soon as possible. See the docs for instructions on how to update.

Workarounds

It is possible to restrict access to the affected API (e.g. in the webserver config) which is most likely unused anyway and thus will not break anything.

For more information

If you have any questions or comments about this advisory:

References

Affected packages

PyPI / indico

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.3.8

Affected versions

0.*
0.98-rc1
0.98.0
0.98.1
0.98.2
0.99
1.*
1.0
1.1
1.1.1
1.1.2
1.2
1.2.1rc2
1.2.1rc4
1.2.1rc5
1.2.1rc6
1.2.1rc7
1.2.1rc9
1.2.1rc10
1.2.1rc11
1.2.1
1.2.2rc1
1.2.2
1.9.11.dev3
1.9.11.dev4
1.9.11.dev6
1.9.11.dev7
1.9.11.dev8
1.9.11.dev9
1.9.11.dev10
1.9.11.dev11
1.9.11.dev12
1.9.11.dev13
1.9.11.dev14
1.9.11.dev15
1.9.11.dev16
1.9.11.dev17
2.*
2.0a1
2.0rc1
2.0rc2
2.0
2.0.1
2.0.2
2.0.3
2.1
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.2
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.3
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
3.*
3.0rc1
3.0rc2
3.0
3.0.1
3.0.2
3.0.3
3.1
3.1.1
3.2
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.3
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/indico/PYSEC-2026-1460.yaml"