CVE-2026-25649

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The `redirect_uri` parameter is not validated against a whitelist, allowing attackers to redirect authorization codes to attacker-controlled URLs, enabling account takeover on any OAuth-integrated application. As of time of publication, it is unclear whether a fix is available.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/traccar/traccar/security/advisories/GHSA-ccc7-4r59-4pp7	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-23 22:16

Updated : 2026-02-26 16:23

NVD link : CVE-2026-25649

Mitre link : CVE-2026-25649

CVE.ORG link : CVE-2026-25649

JSON object : View

Products Affected

traccar

traccar

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

{"id": "CVE-2026-25649", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.3}]}, "published": "2026-02-23T22:16:24.927", "references": [{"url": "https://github.com/traccar/traccar/security/advisories/GHSA-ccc7-4r59-4pp7", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-601"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The `redirect_uri` parameter is not validated against a whitelist, allowing attackers to redirect authorization codes to attacker-controlled URLs, enabling account takeover on any OAuth-integrated application. As of time of publication, it is unclear whether a fix is available."}, {"lang": "es", "value": "Las versiones del sistema de seguimiento GPS de c\u00f3digo abierto Traccar hasta la 6.11.1 inclusive contienen un problema en el que usuarios autenticados pueden robar c\u00f3digos de autorizaci\u00f3n de OAuth 2.0 al explotar una vulnerabilidad de redirecci\u00f3n abierta en dos endpoints relacionados con OIDC. El par\u00e1metro 'redirect_uri' no se valida contra una lista blanca, permitiendo a los atacantes redirigir c\u00f3digos de autorizaci\u00f3n a URL controladas por el atacante, lo que permite la toma de control de cuentas en cualquier aplicaci\u00f3n integrada con OAuth. Al momento de la publicaci\u00f3n, no est\u00e1 claro si hay una soluci\u00f3n disponible."}], "lastModified": "2026-02-26T16:23:23.333", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "76FAA1A2-2E75-4EAC-A7FA-BD790B7986A6", "versionEndIncluding": "6.11.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}