HIGH🇵🇱 Wersja polska

CVE-2026-25649

CVSS 7.3v3.1pub. 2026-02-23upd. 2026-02-26

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The `redirect_uri` parameter is not validated against a whitelist, allowing attackers to redirect authorization codes to attacker-controlled URLs, enabling account takeover on any OAuth-integrated application. As of time of publication, it is unclear whether a fix is available.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
  • Traccar

    APP
    Traccar
    ≤ 6.11.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-7746CRITICAL9.5PL ✓ten sam produkt

Traccar Server – pominięcie uwierzytelnienia przez domyślne dane logowania

CVE-2024-31214CRITICAL9.6PL ✓ten sam produkt

Traccar: nieograniczony upload plików prowadzący do RCE

CVE-2026-25648HIGH8.7ten sam produkt

Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authent...

CVE-2025-68930HIGH7.1ten sam produkt

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSoc...

CVE-2023-50729HIGH8.4ten sam produkt

Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file uplo...