Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Traccar GPS Tracking System: Authenticated Users Can Steal OAuth 2.0 Codes
CVE-2026-25649
Summary
A security flaw in Traccar's GPS tracking system allows authorized users to steal secret codes used to access other services. This could let attackers take control of any service that uses Traccar to authenticate. If you use Traccar, update to the latest version as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| traccar | traccar | <= 6.11.1 | – |
Original title
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redire...
Original description
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The `redirect_uri` parameter is not validated against a whitelist, allowing attackers to redirect authorization codes to attacker-controlled URLs, enabling account takeover on any OAuth-integrated application. As of time of publication, it is unclear whether a fix is available.
nvd CVSS3.1
8.7
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
CWE-601
Open Redirect
- https://github.com/traccar/traccar/security/advisories/GHSA-ccc7-4r59-4pp7 Exploit Mitigation Vendor Advisory
Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026