Executive Summary

CVE-2026-40184 is a security vulnerability in the TREK travel planner application prior to version 2.7.2. The issue allowed unauthenticated users to access uploaded photos without any authentication via the /uploads/photos/:filename route. This meant that anyone on the network could view photos that should have been protected.

Additionally, there was a missing access control on trip-related routes integrated with Immich, which allowed authenticated users to access photos and album links of trips they did not own. The vulnerability was fixed by enforcing authentication and authorization checks on these routes, requiring valid JWT tokens or share tokens to access uploaded photos, and restricting access to trip photos and album links only to authorized users.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by exposing your uploaded photos to unauthorized users, potentially leading to privacy breaches. Since uploaded photos were accessible without authentication, anyone could view sensitive or private images.

Moreover, authenticated users could access or modify trip photos and album links of other users due to missing access control checks, which could lead to unauthorized data exposure or manipulation.

The overall impact is limited to confidentiality, with no effect on data integrity or availability. The CVSS base score is 3.7, indicating a low severity for the unauthenticated photo access but a higher severity for missing authorization on trip photo routes.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the TREK application version is prior to 2.7.2, as versions before this do not require authentication for accessing uploaded photos via the `/uploads/photos/:filename` route.

To detect unauthorized access attempts on your network or system, you can monitor HTTP requests to the `/uploads/photos/` endpoint that do not include valid JWT authentication tokens or share tokens.

Suggested commands include using network monitoring or web server access logs to filter requests to the vulnerable endpoint. For example, using `grep` on server logs:

• grep "/uploads/photos/" /var/log/nginx/access.log | grep -v "Authorization: Bearer"
• tcpdump or Wireshark filters to capture HTTP requests to `/uploads/photos/` without authentication headers.

Additionally, checking the application version can be done by querying the installed package version or inspecting the application metadata.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the TREK application to version 2.7.2 or later, where the vulnerability is fixed.

Version 2.7.2 enforces authentication on the `/uploads/photos/:filename` endpoint by requiring a valid JWT token or a valid share token, preventing unauthenticated access to uploaded photos.

Additional mitigation includes verifying that your deployment enforces the `canAccessTrip` authorization checks on trip-related photo and album routes, ensuring only authorized users can access or modify trip data.

It is also recommended to review and apply other security enhancements introduced in version 2.7.2, such as improved JWT handling, rate limiting, and encryption at rest.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allowed unauthenticated access to uploaded photos, exposing potentially sensitive user data without proper access controls. This unauthorized data exposure could conflict with compliance requirements in standards and regulations such as GDPR and HIPAA, which mandate protection of personal and sensitive information through appropriate access controls and authentication mechanisms.

The fix implemented in TREK version 2.7.2 enforces authentication and authorization checks on photo access routes, ensuring that only authorized users can access uploaded photos and trip-related data. This mitigation helps align the application with data protection principles required by common standards and regulations by preventing unauthorized data disclosure.

Useful 0 Not Useful 0