CVE-2026-45410
MEDIUMTime-based user enumeration in TREK authentication endpoint
Title source: cnaDescription
TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an email address existed in the database, the backend performed a bcrypt password comparison before returning a 401 Unauthorized, adding ~370 ms of latency. When the email did not exist, the backend returned immediately (~10 ms). This ~14× timing difference could be detected without any difference in HTTP status codes or response bodies. This vulnerability is fixed in 3.0.18.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/mauriceboe/TREK/security/advisories/GHSA-3552-3c98-x79r
X_Refsource_Misc x_refsource_misc
https://gist.github.com/jubnl/c2402adf85d946c1730867aeecc794de
Scores
CVSS v3
5.3
EPSS
0.0021
EPSS Percentile
10.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-203
CWE-208
Status
published
Products (1)
mauriceboe/TREK
< 3.0.18
Published
May 28, 2026
Tracked Since
May 29, 2026