Description
TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo management routes. This vulnerability is fixed in 2.7.2.
Published: 2026-04-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to Immich trip photos through missing authorization checks
Action: Apply patch
AI Analysis

Impact

In TREK versions prior to 2.7.2, the routes that manage Immich trip photos lack proper authorization checks. This allows any user—whether authenticated or not—to call those endpoints and retrieve or manipulate photos associated with any trip. As a result, confidential travel imagery could be exposed and integrity of photo management could be compromised. The weakness corresponds to unauthorized access (CWE-862).

Affected Systems

The affected product is TREK, a collaborative travel planner. All releases before version 2.7.2 are vulnerable; the issue is fixed in the 2.7.2 release. Users running earlier builds should treat these versions as exposed.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity risk, with the main concern being confidentiality due to potential unrestricted photo access. The EPSS score is not available, but the lack of a KEV listing suggests no publicly known exploits yet. The vulnerability can be exploited by sending standard HTTP requests to the protected endpoints; no special conditions beyond basic network access are required.

Generated by OpenCVE AI on April 10, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TREK to version 2.7.2 or later, which implements proper authorization checks for Immich trip photo routes.

Generated by OpenCVE AI on April 10, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mauriceboe:trek:*:*:*:*:*:node.js:*:*

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mauriceboe
Mauriceboe trek
Vendors & Products Mauriceboe
Mauriceboe trek

Fri, 10 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo management routes. This vulnerability is fixed in 2.7.2.
Title Missing Authorization on Immich Trip Photo Routes in TREK
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Mauriceboe Trek
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T15:09:36.514Z

Reserved: 2026-04-09T20:59:17.619Z

Link: CVE-2026-40185

cve-icon Vulnrichment

Updated: 2026-04-15T15:09:30.743Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T20:16:23.573

Modified: 2026-04-21T19:22:43.510

Link: CVE-2026-40185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:57:29Z

Weaknesses