Skip to main content

Trek EUVDEUVD-2026-21585

| CVE-2026-40184 LOW
Missing Authentication for Critical Function (CWE-306)
2026-04-10 GitHub_M
3.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.7.2
EUVD ID Assigned
Apr 10, 2026 - 20:15 euvd
EUVD-2026-21585
Analysis Generated
Apr 10, 2026 - 20:15 vuln.today
CVE Published
Apr 10, 2026 - 19:39 nvd
LOW 3.7

DescriptionGitHub Advisory

TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. This vulnerability is fixed in 2.7.2.

AnalysisAI

TREK collaborative travel planner versions before 2.7.2 serve uploaded user photos without authentication, allowing unauthenticated remote attackers to enumerate and access private photo collections through direct URL access. The vulnerability is restricted to information disclosure with low impact due to attack complexity constraints, though it exposes sensitive travel-related imagery that users expect to be private.

Technical ContextAI

TREK is a collaborative travel planning application (CPE: cpe:2.3:a:mauriceboe:trek:*:*:*:*:*:*:*:*) that implements photo upload functionality as a core feature for documenting trips. The vulnerability stems from CWE-306 (Missing Authentication Check), where the application fails to enforce access control on photo serving endpoints. Rather than validating user identity before delivering photo resources, the server exposes uploaded files at predictable or discoverable URLs, permitting unauthenticated enumeration. This is a classic separation-of-concerns failure where authentication middleware is either absent from image-serving routes or validation logic is incomplete.

RemediationAI

Vendor-released patch: TREK 2.7.2. Administrators must upgrade immediately to version 2.7.2 or later, which restores authentication enforcement on photo-serving endpoints. The fix is detailed in commit 16277a3811a00c2983f7486fee83c112986cb179 (https://github.com/mauriceboe/TREK/commit/16277a3811a00c2983f7486fee83c112986cb179). For deployments unable to upgrade immediately, implement reverse-proxy authentication or IP-based access controls on photo serving paths as a temporary workaround, though patching remains required for proper remediation.

Share

EUVD-2026-21585 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy