CVE-2026-45410 - Vulnerability Details

- Time-based user enumeration in TREK authentication endpoint

Description

TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an email address existed in the database, the backend performed a bcrypt password comparison before returning a 401 Unauthorized, adding ~370 ms of latency. When the email did not exist, the backend returned immediately (~10 ms). This ~14× timing difference could be detected without any difference in HTTP status codes or response bodies. This vulnerability is fixed in 3.0.18.

Published: 2026-05-28

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

TREK’s authentication flow permits an attacker to distinguish valid email addresses from invalid ones by observing response times. When a supplied address exists, the back‑end performs a bcrypt password comparison before returning a 401 Unauthorized, adding roughly 370 ms of latency. If the address does not exist, the system returns in about 10 ms. The ~14× timing disparity can be detected even though HTTP status codes and bodies are identical, enabling enumeration of registered users without any additional information leakage.

Affected Systems

This flaw affects all instances of the TREK collaborative travel planner built by mauriceboe running versions earlier than 3.0.18. Versions 3.0.18 and later contain the fix; no other versions are known to be affected.

Risk and Exploitability

Based on the description, the likely attack vector is remote access to the publicly exposed authentication endpoint. The attacker only needs to send repeated login attempts with different email addresses to observe the timing discrepancy. The severity is moderate, with a CVSS score of 5.3. Because EPSS is not available and the vulnerability is not flagged in the CISA KEV catalog, the likelihood of exploitation remains uncertain, but user enumeration can facilitate credential stuffing or social engineering.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mauriceboe

TREK

affected

Version	Status	Constraints
`< 3.0.18`	affected	—

No data.

Vendor Product Confidence Versions

Mauriceboe

Trek

100%

Version	Status	Scheme	Platform
`[0,3.0.18)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to TREK version 3.0.18 or later to eliminate the timing difference.
Introduce rate limiting or throttling on the authentication endpoint to make repeated timing measurements impractical.
Remove or obfuscate any error messages that disclose whether an email address exists, ensuring responses remain indistinguishable in both content and timing.

Generated by OpenCVE AI on May 29, 2026 at 01:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://gist.github.com/jubnl/c2402adf85d946c1730867aeecc794de
https://github.com/mauriceboe/TREK/security/advisories/GHSA-3552-3c98-x79r

History

Fri, 29 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 29 May 2026 01:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mauriceboe Mauriceboe trek
Vendors & Products		Mauriceboe Mauriceboe trek

Thu, 28 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an email address existed in the database, the backend performed a bcrypt password comparison before returning a 401 Unauthorized, adding ~370 ms of latency. When the email did not exist, the backend returned immediately (~10 ms). This ~14× timing difference could be detected without any difference in HTTP status codes or response bodies. This vulnerability is fixed in 3.0.18.
Title		Time-based user enumeration in TREK authentication endpoint
Weaknesses		CWE-203 CWE-208
References		https://gist.github.com/jubnl/c2402adf85d946c1730867aeecc794de https://github.com/mauriceboe/TREK/security/advisories/GHSA-3552-3c98-x79r
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Mauriceboe Trek

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-28T21:23:01.431Z

Updated: 2026-05-29T14:46:58.159Z

Reserved: 2026-05-12T01:48:40.452Z

Link: CVE-2026-45410

Vulnrichment

Updated: 2026-05-29T14:46:52.320Z

NVD

Status : Deferred

Published: 2026-05-28T22:17:01.050

Modified: 2026-05-29T16:32:14.400

Link: CVE-2026-45410

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T01:15:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object