Description
TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. This vulnerability is fixed in 2.7.2.
Published: 2026-04-10
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Access
Action: Patch
AI Analysis

Impact

TREK, a collaborative travel planning application, exposed uploaded photographs to any user before version 2.7.2. The application failed to enforce authentication when serving these files, permitting an attacker to retrieve any photo that had been previously uploaded. This flaw results in a confidentiality breach, allowing adversaries to view or steal private media without permission. The weakness aligns with CWE-306, which involves missing or ineffective authentication controls.

Affected Systems

The affected product is TREK by Mauriceboe. Versions released prior to 2.7.2 are vulnerable. Users running any build before the patch have cells of plain access to uploaded media.

Risk and Exploitability

The CVSS score of 3.7 indicates low severity from a technical perspective. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. The likely attack vector is remote and unauthenticated: a malicious actor can perform a simple HTTP request to the photo URL and obtain the content. Because the flaw removes authentication entirely, the risk to confidentiality is high for any user contributing photos to the platform, while the overall likelihood of large‑scale impact is limited by the low CVSS rating.

Generated by OpenCVE AI on April 10, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TreK to version 2.7.2 or later, which restores authentication for uploaded files.
  • Verify that all file endpoints now require valid user credentials.
  • If an upgrade is not immediately possible, restrict public access to the upload directory using web server rules or application configuration until a patch is applied.

Generated by OpenCVE AI on April 10, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mauriceboe:trek:*:*:*:*:*:*:*:*

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mauriceboe
Mauriceboe trek
Vendors & Products Mauriceboe
Mauriceboe trek

Fri, 10 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. This vulnerability is fixed in 2.7.2.
Title Unauthenticated Access to Uploaded Files in TREK
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Mauriceboe Trek
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T16:12:51.487Z

Reserved: 2026-04-09T20:59:17.619Z

Link: CVE-2026-40184

cve-icon Vulnrichment

Updated: 2026-04-13T16:12:47.106Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T20:16:23.417

Modified: 2026-04-21T19:24:27.903

Link: CVE-2026-40184

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:57:30Z

Weaknesses