Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. This vulnerability is fixed in 2.7.2.
AnalysisAI
TREK collaborative travel planner versions before 2.7.2 serve uploaded user photos without authentication, allowing unauthenticated remote attackers to enumerate and access private photo collections through direct URL access. The vulnerability is restricted to information disclosure with low impact due to attack complexity constraints, though it exposes sensitive travel-related imagery that users expect to be private.
Technical ContextAI
TREK is a collaborative travel planning application (CPE: cpe:2.3:a:mauriceboe:trek:*:*:*:*:*:*:*:*) that implements photo upload functionality as a core feature for documenting trips. The vulnerability stems from CWE-306 (Missing Authentication Check), where the application fails to enforce access control on photo serving endpoints. Rather than validating user identity before delivering photo resources, the server exposes uploaded files at predictable or discoverable URLs, permitting unauthenticated enumeration. This is a classic separation-of-concerns failure where authentication middleware is either absent from image-serving routes or validation logic is incomplete.
RemediationAI
Vendor-released patch: TREK 2.7.2. Administrators must upgrade immediately to version 2.7.2 or later, which restores authentication enforcement on photo-serving endpoints. The fix is detailed in commit 16277a3811a00c2983f7486fee83c112986cb179 (https://github.com/mauriceboe/TREK/commit/16277a3811a00c2983f7486fee83c112986cb179). For deployments unable to upgrade immediately, implement reverse-proxy authentication or IP-based access controls on photo serving paths as a temporary workaround, though patching remains required for proper remediation.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21585