Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo management routes. This vulnerability is fixed in 2.7.2.
AnalysisAI
Authentication bypass in TREK collaborative travel planner (versions prior to 2.7.2) allows authenticated attackers with low privileges to access and modify trip photos without proper authorization. The missing authorization checks on Immich trip photo management routes enable unauthorized data access (high confidentiality impact) and limited integrity compromise. Exploitation requires authenticated access but no user interaction, exploitable remotely over network with low attack complexity.
Technical ContextAI
CWE-862 missing authorization vulnerability in photo management API endpoints. Application fails to validate user permissions before granting access to trip photo resources within the Immich integration layer. Authenticated users can bypass intended access controls to manipulate photo data belonging to other users' trips. Root cause is absent server-side authorization enforcement on sensitive routes (CPE: cpe:2.3:a:mauriceboe:trek:*:*:*:*:*:*:*:*).
RemediationAI
Vendor-released patch: upgrade immediately to TREK version 2.7.2 or later, which implements proper authorization checks on Immich trip photo management routes. The fix is delivered via commit 16277a3811a00c2983f7486fee83c112986cb179. Organizations unable to upgrade immediately should restrict authenticated user access to TREK instances and audit trip photo access logs for unauthorized activity. Patched release available at https://github.com/mauriceboe/TREK/releases/tag/v2.7.2. Complete security advisory and technical details: https://github.com/mauriceboe/TREK/security/advisories/GHSA-pcr3-6647-jh72. No workaround exists; upgrade is the only complete mitigation.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21587