Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Traccar GPS Tracking System: Unauthorized Access via WebSocket
CVE-2025-68930
Summary
Traccar's GPS tracking software has a security issue that allows an attacker to access your system using a user's credentials. This could allow them to see sensitive location data. Update to a fixed version to protect your data.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| traccar | traccar | <= 6.11.1 | – |
Original title
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fail...
Original description
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. This allows a remote attacker to bypass the Same Origin Policy (SOP) and establish a full-duplex WebSocket connection using a legitimate user's credentials (JSESSIONID). As of time of publication, it is unclear whether a fix is available.
nvd CVSS3.1
6.5
Vulnerability type
CWE-1385
- https://github.com/traccar/traccar/security/advisories/GHSA-69x6-wcx2-vghp Vendor Advisory Exploit Mitigation
Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026