{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40185", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T20:59:17.619Z", "datePublished": "2026-04-10T19:40:16.382Z", "dateUpdated": "2026-04-15T15:09:36.514Z"}, "containers": {"cna": {"title": "Missing Authorization on Immich Trip Photo Routes in TREK", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/mauriceboe/TREK/security/advisories/GHSA-pcr3-6647-jh72", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mauriceboe/TREK/security/advisories/GHSA-pcr3-6647-jh72"}, {"name": "https://github.com/mauriceboe/TREK/commit/16277a3811a00c2983f7486fee83c112986cb179", "tags": ["x_refsource_MISC"], "url": "https://github.com/mauriceboe/TREK/commit/16277a3811a00c2983f7486fee83c112986cb179"}, {"name": "https://github.com/mauriceboe/TREK/releases/tag/v2.7.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/mauriceboe/TREK/releases/tag/v2.7.2"}], "affected": [{"vendor": "mauriceboe", "product": "TREK", "versions": [{"version": "< 2.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T19:40:16.382Z"}, "descriptions": [{"lang": "en", "value": "TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo management routes. This vulnerability is fixed in 2.7.2."}], "source": {"advisory": "GHSA-pcr3-6647-jh72", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T15:08:28.395142Z", "id": "CVE-2026-40185", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:09:36.514Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40185", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T15:08:28.395142Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:09:30.743Z"}}], "cna": {"title": "Missing Authorization on Immich Trip Photo Routes in TREK", "source": {"advisory": "GHSA-pcr3-6647-jh72", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mauriceboe", "product": "TREK", "versions": [{"status": "affected", "version": "< 2.7.2"}]}], "references": [{"url": "https://github.com/mauriceboe/TREK/security/advisories/GHSA-pcr3-6647-jh72", "name": "https://github.com/mauriceboe/TREK/security/advisories/GHSA-pcr3-6647-jh72", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mauriceboe/TREK/commit/16277a3811a00c2983f7486fee83c112986cb179", "name": "https://github.com/mauriceboe/TREK/commit/16277a3811a00c2983f7486fee83c112986cb179", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mauriceboe/TREK/releases/tag/v2.7.2", "name": "https://github.com/mauriceboe/TREK/releases/tag/v2.7.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo management routes. This vulnerability is fixed in 2.7.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T19:40:16.382Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40185", "state": "PUBLISHED", "dateUpdated": "2026-04-15T15:09:36.514Z", "dateReserved": "2026-04-09T20:59:17.619Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T19:40:16.382Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mauriceboe:trek:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FF5D262A-7F86-423E-9001-27183BE3840F", "versionEndIncluding": "2.7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo management routes. This vulnerability is fixed in 2.7.2."}], "id": "CVE-2026-40185", "lastModified": "2026-04-21T19:22:43.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-10T20:16:23.573", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mauriceboe/TREK/commit/16277a3811a00c2983f7486fee83c112986cb179"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/mauriceboe/TREK/releases/tag/v2.7.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/mauriceboe/TREK/security/advisories/GHSA-pcr3-6647-jh72"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.7.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "TREK", "source": "cna", "vendor": "mauriceboe"}, "product": "trek", "vendor": "mauriceboe"}], "analysis": {"en": {"generated_at": "2026-04-10T21:23:47.393143+00:00", "value": {"mitigation_remediation": ["Upgrade TREK to version 2.7.2 or later, which implements proper authorization checks for Immich trip photo routes."], "summary": {"action": "Apply patch", "impact": "Unauthorized access to Immich trip photos through missing authorization checks"}, "threat_synthesis": {"affected_systems": "The affected product is TREK, a collaborative travel planner. All releases before version 2.7.2 are vulnerable; the issue is fixed in the 2.7.2 release. Users running earlier builds should treat these versions as exposed.", "description_and_impact": "In TREK versions prior to 2.7.2, the routes that manage Immich trip photos lack proper authorization checks. This allows any user\u2014whether authenticated or not\u2014to call those endpoints and retrieve or manipulate photos associated with any trip. As a result, confidential travel imagery could be exposed and integrity of photo management could be compromised. The weakness corresponds to unauthorized access (CWE-862).", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high severity risk, with the main concern being confidentiality due to potential unrestricted photo access. The EPSS score is not available, but the lack of a KEV listing suggests no publicly known exploits yet. The vulnerability can be exploited by sending standard HTTP requests to the protected endpoints; no special conditions beyond basic network access are required."}}}}, "created": "2026-04-13T12:42:41.326962+00:00", "updated": "2026-04-13T12:57:29.037703+00:00", "vendors": ["mauriceboe", "mauriceboe$PRODUCT$trek"]}