CVE-2026-25649
- Source
- https://cve.org/CVERecord?id=CVE-2026-25649
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25649.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-25649
- Aliases
-
- GHSA-ccc7-4r59-4pp7
- Published
- 2026-02-23T21:12:06.040Z
- Modified
- 2026-04-10T05:40:42.768433Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Traccar Vulnerable to Authorization Code Theft via Open Redirect in OIDC Provider Endpoints
- Details
-
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The
redirect_uriparameter is not validated against a whitelist, allowing attackers to redirect authorization codes to attacker-controlled URLs, enabling account takeover on any OAuth-integrated application. As of time of publication, it is unclear whether a fix is available. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25649.json", "cwe_ids": [ "CWE-352", "CWE-601" ], "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/traccar/traccar
Affected versions
v2.*
v2.0
v2.1
v2.10
v2.11
v2.12
v2.2
v2.3
v2.4
v2.5
v2.6
v2.7
v2.8
v2.9
v3.*
v3.0
v3.1
v3.10
v3.11
v3.12
v3.13
v3.14
v3.15
v3.16
v3.17
v3.2
v3.4
v3.5
v3.6
v3.7
v3.8
v3.9
v4.*
v4.0
v4.1
v4.10
v4.11
v4.12
v4.13
v4.14
v4.15
v4.2
v4.3
v4.4
v4.5
v4.6
v4.7
v4.8
v4.9
v5.*
v5.0
v5.1
v5.10
v5.11
v5.12
v5.2
v5.3
v5.4
v5.5
v5.6
v5.7
v5.8
v5.9
v6.*
v6.0
v6.1
v6.10.0
v6.11.0
v6.11.1
v6.2
v6.3
v6.4
v6.5
v6.6
v6.7.0
v6.7.1
v6.7.2
v6.7.3
v6.8.0
v6.8.1
v6.9.0
v6.9.1