CVE-2026-45410
Time-based user enumeration in TREK authentication endpoint
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an email address existed in the database, the backend performed a bcrypt password comparison before returning a 401 Unauthorized, adding ~370 ms of latency. When the email did not exist, the backend returned immediately (~10 ms). This ~14ร timing difference could be detected without any difference in HTTP status codes or response bodies. This vulnerability is fixed in 3.0.18.
| CWE | CWE-203 CWE-208 |
| Vendor | mauriceboe |
| Product | trek |
| Published | May 28, 2026 |
| Last Updated | May 29, 2026 |
Stay Ahead of the Next One
Get instant alerts for mauriceboe trek
Be the first to know when new medium vulnerabilities affecting mauriceboe trek are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
mauriceboe / TREK
< 3.0.18