CVE-2026-40185
Authorization Bypass in TREK Trip Photo Management Routes
Publication date: 2026-04-10
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mauriceboe | trek | to 2.7.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40185 is a missing authorization vulnerability in the TREK npm package versions prior to 2.7.2, specifically affecting the Immich trip photo management routes.
In version 2.7.1, TREK did not perform authorization checks on routes handling Immich trip photos, including GET, POST, DELETE requests to /trips/:tripId/photos, PUT requests to /sharing, and all album-link routes.
This flaw allowed any authenticated user to access trip photos for trips they were not members of, exposing sensitive data.
The issue was fixed in version 2.7.2 by adding authorization checks (canAccessTrip) to all affected routes, so unauthorized users now receive a 404 response when attempting to access trips they do not belong to.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive trip photo data to authenticated users who are not members of those trips.
Because the attack vector is network-based and requires only low privileges (an authenticated user), it is relatively easy to exploit.
The confidentiality impact is high, meaning sensitive information can be exposed, while the integrity impact is low and there is no impact on availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the Immich trip photo management routes without proper authorization and observing if unauthorized access is granted.
- Send authenticated requests to the following endpoints and check for unauthorized access:
- GET, POST, DELETE requests to `/trips/:tripId/photos`
- PUT requests to `/sharing`
- Requests to all album-link routes
If unauthorized users can access trip photos for trips they are not members of, the vulnerability is present. In a secure system, unauthorized access attempts should return a 404 response.
Example command using curl to test unauthorized access (replace placeholders accordingly):
- curl -i -H "Authorization: Bearer <token_of_authenticated_user>" https://<trek-server>/trips/<tripId>/photos
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the TREK npm package to version 2.7.2 or later, where the missing authorization checks have been implemented.
This update adds the necessary `canAccessTrip` authorization checks to all affected routes, preventing unauthorized users from accessing trip photos they do not belong to.
Until the upgrade is applied, restrict access to the affected endpoints to trusted users only and monitor for suspicious access patterns.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized authenticated users to access trip photos for trips they are not members of, leading to unauthorized disclosure of sensitive data.
Such unauthorized data exposure can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
By failing to enforce proper authorization checks, the affected versions of TREK risk violating confidentiality requirements mandated by these regulations.