CVE-2026-45410

Source
https://cve.org/CVERecord?id=CVE-2026-45410
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45410.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45410
Aliases
  • GHSA-3552-3c98-x79r
Published
2026-05-28T21:23:01.431Z
Modified
2026-07-15T01:49:16.168651760Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Time-based user enumeration in TREK authentication endpoint
Details

TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an email address existed in the database, the backend performed a bcrypt password comparison before returning a 401 Unauthorized, adding ~370 ms of latency. When the email did not exist, the backend returned immediately (~10 ms). This ~14× timing difference could be detected without any difference in HTTP status codes or response bodies. This vulnerability is fixed in 3.0.18.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45410.json",
    "cwe_ids": [
        "CWE-203",
        "CWE-208"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/mauriceboe/trek

Affected ranges

Type
GIT
Repo
https://github.com/mauriceboe/trek
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.0.18"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v2.*
v2.1.0
v2.3.5
v2.4.0
v2.5.0
v2.5.1
v2.5.2
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.7.2
v2.8.0
v2.8.4
v2.9.10
v2.9.11
v2.9.12
v2.9.13
v2.9.14
v2.9.2
v2.9.4
v2.9.5
v2.9.6
v2.9.7
v2.9.8
v2.9.9
v3.*
v3.0.0
v3.0.1
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45410.json"