Detection Guidance

This vulnerability can be detected by attempting to access the Immich trip photo management routes without proper authorization and observing if unauthorized access is granted.

• Send authenticated requests to the following endpoints and check for unauthorized access:
• GET, POST, DELETE requests to `/trips/:tripId/photos`
• PUT requests to `/sharing`
• Requests to all album-link routes

If unauthorized users can access trip photos for trips they are not members of, the vulnerability is present. In a secure system, unauthorized access attempts should return a 404 response.

Example command using curl to test unauthorized access (replace placeholders accordingly):

• curl -i -H "Authorization: Bearer <token_of_authenticated_user>" https://<trek-server>/trips/<tripId>/photos

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the TREK npm package to version 2.7.2 or later, where the missing authorization checks have been implemented.

This update adds the necessary `canAccessTrip` authorization checks to all affected routes, preventing unauthorized users from accessing trip photos they do not belong to.

Until the upgrade is applied, restrict access to the affected endpoints to trusted users only and monitor for suspicious access patterns.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-40185 is a missing authorization vulnerability in the TREK npm package versions prior to 2.7.2, specifically affecting the Immich trip photo management routes.

In version 2.7.1, TREK did not perform authorization checks on routes handling Immich trip photos, including GET, POST, DELETE requests to /trips/:tripId/photos, PUT requests to /sharing, and all album-link routes.

This flaw allowed any authenticated user to access trip photos for trips they were not members of, exposing sensitive data.

The issue was fixed in version 2.7.2 by adding authorization checks (canAccessTrip) to all affected routes, so unauthorized users now receive a 404 response when attempting to access trips they do not belong to.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive trip photo data to authenticated users who are not members of those trips.

Because the attack vector is network-based and requires only low privileges (an authenticated user), it is relatively easy to exploit.

The confidentiality impact is high, meaning sensitive information can be exposed, while the integrity impact is low and there is no impact on availability.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized authenticated users to access trip photos for trips they are not members of, leading to unauthorized disclosure of sensitive data.

Such unauthorized data exposure can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

By failing to enforce proper authorization checks, the affected versions of TREK risk violating confidentiality requirements mandated by these regulations.

Useful 0 Not Useful 0