HIGHCVE-2026-40185CVSS 7.1

CVE-2026-40185: Authorization Bypass in TREK Travel Planner

Q: What is CVE-2026-40185 — Authorization Bypass in TREK Travel Planner?

CVE-2026-40185 is a HIGH severity vulnerability in TREK Travel Planner versions 1.0.0 through 2.7.2 that allows unauthorized access to trip photo management routes.

Q: Am I affected by CVE-2026-40185 in TREK Travel Planner?

Yes, if you are using TREK Travel Planner versions 1.0.0 through 2.7.2, you are affected by this vulnerability.

Q: How do I fix CVE-2026-40185 in TREK Travel Planner?

Upgrade TREK Travel Planner to version 2.7.2 or later to resolve this authorization bypass vulnerability.

Q: Is CVE-2026-40185 being actively exploited?

Currently, there are no known active exploits for CVE-2026-40185, but it is crucial to apply the patch promptly.

Q: Where can I find the official TREK Travel Planner advisory for CVE-2026-40185?

Refer to the TREK Travel Planner project's official communication channels and release notes for the advisory regarding CVE-2026-40185.

Platform

nodejs

Component

trek-travel-planner

Fixed in

2.7.3

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-40185 describes an authorization bypass vulnerability discovered in TREK Travel Planner. This flaw allows attackers to access trip photo management routes without proper authentication, potentially leading to unauthorized data exposure. The vulnerability affects versions 1.0.0 through 2.7.2 and has been resolved in version 2.7.2.

Impact and Attack Scenarios

An attacker exploiting this authorization bypass can gain unauthorized access to trip photo management routes within the TREK Travel Planner application. This could allow them to view, modify, or delete sensitive travel-related photos and associated metadata. The potential impact includes exposure of personal travel itineraries, private photos, and potentially other sensitive information stored within the application. While the scope is limited to the photo management functionality, successful exploitation could compromise the privacy and security of users' travel plans.

Exploitation Context

CVE-2026-40185 was publicly disclosed on 2026-04-10. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.03% (8% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componenttrek-travel-planner

Vendormauriceboe

Affected rangeFixed in

< 2.7.2 – < 2.7.22.7.3

Weakness Classification (CWE)

CWE-862

Timeline

Reserved2026-04-09
Published2026-04-10
Modified2026-04-15
EPSS updated2026-04-18

Mitigation and Workarounds

The primary mitigation for CVE-2026-40185 is to immediately upgrade TREK Travel Planner to version 2.7.2 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the photo management routes through a Web Application Firewall (WAF) or proxy server. Configure the WAF to block requests to these routes from unauthorized users or IP addresses. After upgrading, confirm the fix by attempting to access the photo management routes without proper authentication; access should be denied.

How to fix

Update TREK to version 2.7.2 or higher to mitigate the authorization vulnerability. This update implements the necessary authorization checks in the Immich trip photo management routes, preventing unauthorized access to data.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-40185 — Authorization Bypass in TREK Travel Planner?

CVE-2026-40185 is a HIGH severity vulnerability in TREK Travel Planner versions 1.0.0 through 2.7.2 that allows unauthorized access to trip photo management routes.

Am I affected by CVE-2026-40185 in TREK Travel Planner?

Yes, if you are using TREK Travel Planner versions 1.0.0 through 2.7.2, you are affected by this vulnerability.

How do I fix CVE-2026-40185 in TREK Travel Planner?

Upgrade TREK Travel Planner to version 2.7.2 or later to resolve this authorization bypass vulnerability.

Is CVE-2026-40185 being actively exploited?

Currently, there are no known active exploits for CVE-2026-40185, but it is crucial to apply the patch promptly.

Where can I find the official TREK Travel Planner advisory for CVE-2026-40185?

Refer to the TREK Travel Planner project's official communication channels and release notes for the advisory regarding CVE-2026-40185.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: None — no availability impact. Service remains fully operational.