{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40185/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-40185"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-40185","authorization-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eTREK is a collaborative travel planning application. Prior to version 2.7.2, a critical vulnerability existed within the application related to authorization checks. Specifically, the Immich trip photo management routes lacked proper authorization checks. This flaw, identified as CVE-2026-40185, could potentially allow unauthorized users to access and manipulate trip photos if exploited. The vulnerability was reported by GitHub, Inc. and patched in version 2.7.2 of TREK. Defenders should ensure they are running version 2.7.2 or later of the TREK application to mitigate this risk. This vulnerability affects systems running the vulnerable versions of the TREK application and could impact the confidentiality and integrity of user data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable TREK instance running a version prior to 2.7.2.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the Immich trip photo management routes.\u003c/li\u003e\n\u003cli\u003eDue to the missing authorization checks, the attacker bypasses authentication requirements.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to trip photos.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify or delete trip photos, impacting data integrity.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially use the exposed data to gather sensitive information about the trip and its participants.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially upload malicious images to the photo storage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40185 can lead to unauthorized access and modification of trip photos within the TREK travel planner application. While the exact number of affected users is unknown, any TREK instance running a version prior to 2.7.2 is susceptible. This could result in a breach of confidentiality, potential data manipulation, and reputational damage for the application. Sectors that rely on collaborative travel planning may be particularly affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all TREK instances to version 2.7.2 or later to remediate CVE-2026-40185.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious TREK Photo Route Access\u003c/code\u003e to detect potential exploitation attempts targeting the vulnerable photo management routes.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to the Immich trip photo management routes.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual patterns or connections to the TREK server that might indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-trek-auth-bypass/","summary":"TREK collaborative travel planner before version 2.7.2 is vulnerable to missing authorization checks on the Immich trip photo management routes, potentially allowing unauthorized access to trip photos.","title":"TREK Travel Planner Missing Authorization Vulnerability (CVE-2026-40185)","url":"https://feed.craftedsignal.io/briefs/2026-04-trek-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-40185","version":"https://jsonfeed.org/version/1.1"}