Avelo Airlines PNR Flaw Exposed Millions of Passenger Records to Brute Force
Key Points
- 1Researcher discovered a critical vulnerability in Avelo's PNR system due to missing last name verification and rate limiting on reservation endpoints.
- 2The flaw allowed an attacker to brute-force 2.18 billion PNR combinations, potentially accessing all passenger data in approximately six hours.
- 3Exposed data included full PII, Known Traveler Numbers, passport details, flight itineraries, and partial payment card information.
- 4Avelo Airlines responded professionally, patching the critical security issues within four weeks of the initial responsible disclosure contact.
Avelo Airlines successfully remediated a critical security vulnerability within its Passenger Name Record (PNR) system that could have allowed an attacker to access sensitive personal and government identification data for millions of passengers. The flaw stemmed from two primary security lapses: the reservation lookup endpoint did not require a passenger's last name for verification, and the system lacked effective rate limiting. This configuration meant that the 6-character alphanumeric PNR code was the sole barrier to entry.
Security analysis showed that the total keyspace of 2.18 billion combinations (36^6) was highly susceptible to brute-force attack. Without rate limiting, an adversary using a modest server cluster could enumerate all valid reservations and extract passenger data within approximately six hours. The researcher who discovered the flaw demonstrated that the lack of rate limiting allowed their script to harvest hundreds of valid reservations, exposing troves of data including full names, dates of birth, contact information, and government IDs such as Known Traveler Numbers (KNTs) and passport numbers. Partial payment card details were also accessible.
The vulnerability was disclosed to Avelo Airlines on October 15, 2025. The airline’s cybersecurity team responded swiftly and professionally, acknowledging the severity of the findings. Avelo pushed a comprehensive fix to production on November 13, 2025, successfully patching both the missing last name verification and the lack of rate limiting on the affected endpoints. The successful and rapid remediation process was highlighted as a model example of effective security disclosure handling within the commercial aviation sector.
Topics
You Might Also Like
Discover more aviation news based on similar topics
Why Do Airline Computer Systems Fail? Lessons from Recent IT System Failures.
Alaska Airlines' recent grounding due to an IT failure highlights the industry's struggle with fragile, complex airline computer systems that cause massive operational disruptions.
Avelo Airlines Launches First International Route from ILM to Punta Cana?
Avelo Airlines solved the lack of international service at ILM by launching its first international route to Punta Cana, boosting Coastal North Carolina
How Apple's built-in flight tracking on iPhone and Mac reveals real-time status.
iOS and macOS users bypass third-party apps for flight status, as Apple's data detectors instantly retrieve real-time gate and delay information,
Why Did Malaysia Airports' Global Check-in System Fail? Operations Fully Restored
Malaysia Airports Holdings Bhd (MAHB) confirmed a global passenger processing system disruption, which was fully restored in two hours, highlighting the
Global Passenger System Glitch: Why Malaysia Airports' Check-in Resumed Quickly
Malaysia Airports confirmed a global passenger processing system failure, but rapid contingency procedures ensured check-in and boarding operations
Can NASA and Boeing End Turbulence with New Adaptive Wing Design?
[NASA](https://www.nasa.gov) and [Boeing](https://www.boeing.com) are testing new, flexible wings to solve wing flutter using 10 control surfaces,
Never Miss Critical Aviation Updates
Get the top aviation stories delivered to your inbox every morning