Skip to main content

Trek EUVDEUVD-2026-21587

| CVE-2026-40185 HIGH
Missing Authorization (CWE-862)
2026-04-10 GitHub_M
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

7
Re-analysis Queued
Apr 21, 2026 - 19:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:57 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.7.2
EUVD ID Assigned
Apr 10, 2026 - 20:15 euvd
EUVD-2026-21587
Analysis Generated
Apr 10, 2026 - 20:15 vuln.today
CVE Published
Apr 10, 2026 - 19:40 nvd
HIGH 7.1

DescriptionGitHub Advisory

TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo management routes. This vulnerability is fixed in 2.7.2.

AnalysisAI

Authentication bypass in TREK collaborative travel planner (versions prior to 2.7.2) allows authenticated attackers with low privileges to access and modify trip photos without proper authorization. The missing authorization checks on Immich trip photo management routes enable unauthorized data access (high confidentiality impact) and limited integrity compromise. Exploitation requires authenticated access but no user interaction, exploitable remotely over network with low attack complexity.

Technical ContextAI

CWE-862 missing authorization vulnerability in photo management API endpoints. Application fails to validate user permissions before granting access to trip photo resources within the Immich integration layer. Authenticated users can bypass intended access controls to manipulate photo data belonging to other users' trips. Root cause is absent server-side authorization enforcement on sensitive routes (CPE: cpe:2.3:a:mauriceboe:trek:*:*:*:*:*:*:*:*).

RemediationAI

Vendor-released patch: upgrade immediately to TREK version 2.7.2 or later, which implements proper authorization checks on Immich trip photo management routes. The fix is delivered via commit 16277a3811a00c2983f7486fee83c112986cb179. Organizations unable to upgrade immediately should restrict authenticated user access to TREK instances and audit trip photo access logs for unauthorized activity. Patched release available at https://github.com/mauriceboe/TREK/releases/tag/v2.7.2. Complete security advisory and technical details: https://github.com/mauriceboe/TREK/security/advisories/GHSA-pcr3-6647-jh72. No workaround exists; upgrade is the only complete mitigation.

Share

EUVD-2026-21587 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy