CVE-2026-45410 mauriceboe CVE debrief

Who should care

Organizations operating TREK collaborative travel planner instances; security teams monitoring for account enumeration techniques; developers implementing authentication systems requiring side-channel resistance

Technical summary

The vulnerability exists in TREK's login flow where the application returns early when a submitted email address is not found in the database (~10 ms response), but performs bcrypt password hash comparison when the email exists (~370 ms response). This observable timing difference of approximately 360 milliseconds enables unauthenticated remote attackers to determine whether arbitrary email addresses are registered in the system. The attack requires no special privileges and can be conducted over the network with standard HTTP requests. The identical HTTP 401 Unauthorized responses and response bodies for both cases prevent detection through content analysis alone, making timing measurement the sole exploitation vector.

Defensive priority

medium

Recommended defensive actions

• Upgrade TREK to version 3.0.18 or later to eliminate the timing side-channel
• If immediate patching is not feasible, implement constant-time authentication responses to prevent timing-based user enumeration
• Monitor authentication logs for patterns consistent with enumeration attempts (rapid sequential login requests with varying email addresses)
• Consider implementing rate limiting on login endpoints to slow potential enumeration attacks
• Review application logs for historical indicators of exploitation attempts prior to patch deployment

Evidence notes

CVE description confirms timing differential of ~370ms for existing users versus ~10ms for non-existing users. GitHub Security Advisory GHSA-3552-3c98-x79r provides vendor acknowledgment and fix version.

Official resources