CVE-2026-25649
7.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Summary
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The redirect_uri parameter is not validated against a whitelist, allowing attackers to redirect authorization codes to attacker-controlled URLs, enabling account takeover on any OAuth-integrated application. As of time of publication, it is unclear whether a fix is available.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| traccar | traccar | <= 6.11.1 | affected |
Weaknesses
- CWE-352: CWE-352: Cross-Site Request Forgery (CSRF)
- CWE-601: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.