CVE-2026-40185
Received Received - Intake

Authorization Bypass in TREK Trip Photo Management Routes

Vulnerability report for CVE-2026-40185, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-10

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description

TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo management routes. This vulnerability is fixed in 2.7.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-10
Last Modified
2026-04-21
Generated
2026-07-06
AI Q&A
2026-04-11
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mauriceboe trek to 2.7.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-40185 is a missing authorization vulnerability in the TREK npm package versions prior to 2.7.2, specifically affecting the Immich trip photo management routes.

In version 2.7.1, TREK did not perform authorization checks on routes handling Immich trip photos, including GET, POST, DELETE requests to /trips/:tripId/photos, PUT requests to /sharing, and all album-link routes.

This flaw allowed any authenticated user to access trip photos for trips they were not members of, exposing sensitive data.

The issue was fixed in version 2.7.2 by adding authorization checks (canAccessTrip) to all affected routes, so unauthorized users now receive a 404 response when attempting to access trips they do not belong to.

Detection Guidance

This vulnerability can be detected by attempting to access the Immich trip photo management routes without proper authorization and observing if unauthorized access is granted.

  • Send authenticated requests to the following endpoints and check for unauthorized access:
  • GET, POST, DELETE requests to `/trips/:tripId/photos`
  • PUT requests to `/sharing`
  • Requests to all album-link routes

If unauthorized users can access trip photos for trips they are not members of, the vulnerability is present. In a secure system, unauthorized access attempts should return a 404 response.

Example command using curl to test unauthorized access (replace placeholders accordingly):

  • curl -i -H "Authorization: Bearer <token_of_authenticated_user>" https://<trek-server>/trips/<tripId>/photos
Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the TREK npm package to version 2.7.2 or later, where the missing authorization checks have been implemented.

This update adds the necessary `canAccessTrip` authorization checks to all affected routes, preventing unauthorized users from accessing trip photos they do not belong to.

Until the upgrade is applied, restrict access to the affected endpoints to trusted users only and monitor for suspicious access patterns.

Compliance Impact

This vulnerability allows unauthorized authenticated users to access trip photos for trips they are not members of, leading to unauthorized disclosure of sensitive data.

Such unauthorized data exposure can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

By failing to enforce proper authorization checks, the affected versions of TREK risk violating confidentiality requirements mandated by these regulations.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive trip photo data to authenticated users who are not members of those trips.

Because the attack vector is network-based and requires only low privileges (an authenticated user), it is relatively easy to exploit.

The confidentiality impact is high, meaning sensitive information can be exposed, while the integrity impact is low and there is no impact on availability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40185. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart