Platform
php
Component
trek
Fixed in
2.7.3
CVE-2026-40184 is a security vulnerability affecting the TREK collaborative travel planner. This issue allows unauthorized access to uploaded photos, potentially exposing sensitive travel plans and personal data. The vulnerability impacts versions 1.0.0 through 2.7.2 and is resolved in version 2.7.2.
The primary impact of CVE-2026-40184 is the unauthorized disclosure of user-uploaded photos. An attacker could exploit this vulnerability to gain access to travel itineraries, personal images, and other potentially sensitive information shared within the TREK application. While the CVSS score is LOW, the potential for data exposure, especially if photos contain personally identifiable information (PII), warrants immediate attention. The lack of authentication for accessing these files means any user, even without an account, can retrieve them, significantly broadening the attack surface.
This vulnerability was publicly disclosed on 2026-04-10. There are currently no known public proof-of-concept exploits available. The CVSS score of 3.7 (LOW) suggests a relatively low probability of exploitation, but the ease of access to the files means it could be exploited opportunistically. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-40184 is to immediately upgrade TREK to version 2.7.2 or later. This version includes the necessary fix to require authentication before accessing uploaded photos. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting access to the photo storage directory through web server configuration (e.g., .htaccess for Apache, or equivalent for other web servers). Verify the fix after upgrading by attempting to access a previously uploaded photo without logging in; access should be denied.
Update TREK to version 2.7.2 or later to prevent unauthenticated access to uploaded files. This update fixes the vulnerability by requiring authentication to access uploaded photos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40184 is a vulnerability in TREK versions 1.0.0 through 2.7.2 that allows unauthorized access to uploaded photos, potentially exposing sensitive travel data.
If you are using TREK version 1.0.0 through 2.7.2, you are potentially affected by this vulnerability. Upgrade to 2.7.2 to mitigate the risk.
Upgrade TREK to version 2.7.2 or later. As a temporary workaround, restrict access to the photo storage directory through web server configuration.
There are currently no known active exploits for CVE-2026-40184, but the ease of access to the files means it could be exploited opportunistically.
Refer to the TREK project's official website or security announcements for the advisory related to CVE-2026-40184.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.