Broken Access Control in Indico Event Series Management (CVE-2026-28352)

Indico is a feature-rich event management system widely used for organizing conferences, workshops, and meetings. The platform relies on a complex hierarchy of categories, events, and series to structure content. A security vulnerability identified as CVE-2026-28352 exists in the module responsible for managing 'event series'—a logical grouping mechanism that links related events (e.g., a weekly lecture series).

The vulnerability is classified as a Missing Access Control issue (CWE-285). Specifically, the API endpoints handling the creation, modification, and deletion of event series data were exposed without mandatory authentication or authorization checks. In a standard Indico deployment, management functions are strictly reserved for event managers or system administrators. However, due to a lapse in the request handler inheritance structure, these specific endpoints accepted requests from any network user, regardless of their authentication status.

This flaw allows an attacker to bypass the intended security model entirely. By interacting directly with the backend API, an unauthorized actor can manipulate the metadata defining an event series. This includes modifying the title patterns used for cloning events and deleting the series association itself, which disrupts the logical organization of events within the system.

The root cause of this vulnerability lies in the implementation of the RHEventSeries class within Indico's backend logic. Indico utilizes a Flask-based architecture where request handling logic is encapsulated in classes derived from a base RH (Request Handler) class. Security in this framework is typically enforced through one of two mechanisms: explicitly implementing a _check_access method to validate permissions, or inheriting from a secure base class like RHProtected which enforces session validation by default.

In the affected versions (prior to 3.3.11), RHEventSeries inherited directly from the generic RH class. Critically, the developer failed to override the _check_access method. The base RH class is designed to be permissive for public endpoints, performing no authentication checks unless instructed otherwise. Consequently, when the Flask router dispatched HTTP requests to this handler, the application processed them immediately without verifying the identity of the requester or their permissions regarding the target event series.

This architectural oversight meant that the logic flow for critical actions—specifically process_POST, process_PATCH, and process_DELETE—executed in an unprivileged context. The system assumed, incorrectly, that access control was handled upstream or implicitly, leaving the endpoint wide open to public network traffic.

The remediation of CVE-2026-28352 involved hardening the class hierarchy and implementing explicit permission logic. The following analysis compares the vulnerable implementation with the patched version introduced in commit fb6d800fbab3ac987c642ad42b297ea3cdfc0593.

Vulnerable Implementation

The original code likely resembled the following structure, where RHEventSeries inherits from RH and lacks access control hooks:

# Vulnerable: Inherits from base RH, no access checks
class RHEventSeries(RH):
    def _process_args(self):
        self.series = EventSeries.get_or_404(request.view_args['series_id'])
 
    def _process_DELETE(self):
        # ... logic to delete series ...

Patched Implementation

The fix enforces security layers. First, the inheritance is changed to RHProtected to ensure a valid user session exists. Second, a specific _check_access method is added to verify that the user has management rights over the specific series being targeted.

# Fixed: Inherits from RHProtected and enforces specific permissions
class RHEventSeries(RHProtected):
    def _process_args(self):
        self.series = EventSeries.get_or_404(request.view_args['series_id'])
 
    def _check_access(self):
        # 1. Base check ensures user is logged in
        RHProtected._check_access(self)
        
        # 2. Specific check: User must manage ALL events in the series
        if self.series and not self.series.can_manage(session.user):
            raise NoReportError.wrap_exc(
                Forbidden(_('You can only manage a series if you can manage all its events.'))
            )

The patch also introduces the can_manage method on the EventSeries model, ensuring that management rights are consistent across all events linked to the series. This prevents a scenario where a user with rights to only one event in a series could modify the entire series settings.

Exploiting this vulnerability requires no authentication and can be performed by any attacker with network access to the Indico instance. The attack vector involves sending crafted HTTP requests to the /event-series/<series_id> endpoint. Since the ID is typically a sequential integer, an attacker can easily enumerate valid series IDs.

Attack Scenario: Deleting a Series

To break the association between events in a series, an attacker issues a DELETE request. This does not delete the events themselves but removes the EventSeries object, causing the events to lose their grouping and numbering metadata.

DELETE /event-series/12345 HTTP/1.1
Host: indico.target-org.example
Accept: application/json
# No Cookie or Authorization header required

Attack Scenario: Modifying Patterns

An attacker can also send a PATCH request to modify the event_title_pattern. This pattern is used when cloning events within the series. Malicious modification here could confuse legitimate administrators or, depending on how the title pattern is rendered in the administrative UI, potentially serve as a vector for stored Cross-Site Scripting (XSS) if output encoding is insufficient (though XSS is not the primary scope of this specific CVE).

PATCH /event-series/12345 HTTP/1.1
Host: indico.target-org.example
Content-Type: application/json
 
{
    "event_title_pattern": "HACKED_SERIES_{}"
}

The impact is immediate: the server processes the request and commits the changes to the database without challenging the user.

While CVE-2026-28352 allows unauthorized write access, the scope is limited to event series metadata. It does not provide direct access to sensitive user data, private event content, or uploaded files. The impact is primarily categorized as Integrity and Availability degradation regarding the organization of events.

Confidentiality (Low): The attacker can retrieve metadata about a series (titles, patterns) even if the series is associated with private events. However, the deep content of the events remains protected by separate ACLs.

Integrity (Low/Medium): The ability to modify the event_title_pattern allows an attacker to vandalize the configuration of a series. This can disrupt administrative workflows and lead to confusion among event organizers.

Availability (Low): By deleting the EventSeries object, the attacker disrupts the logical grouping of events. While the underlying event data persists, the structural integrity of the conference or lecture series is damaged, requiring administrative intervention to restore.

CVSS v3.1 Scoring: The vulnerability is assigned a Base Score of 6.5 (Medium). The vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N reflects the network-based attack vector, low complexity, and lack of privileges required, balanced by the limited scope of the impact.