CVE-2026-44314

Source
https://cve.org/CVERecord?id=CVE-2026-44314
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44314.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44314
Aliases
  • GHSA-33v4-5x2g-7mjm
Published
2026-05-26T16:02:15.561Z
Modified
2026-07-15T01:49:14.659750410Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Traccar: Missing edit authorization on device image upload allows read-only users to write files
Details

Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and then immediately streams the uploaded body into mediaManager.createFileStream(...). Unlike the generic mutation path in BaseObjectResource.update and the explicit device mutation handler updateAccumulators, this route never invokes permissionsService.checkEdit(getUserId(), Device.class, false, false). The skipped guard is exactly where Traccar enforces readonly and deviceReadonly restrictions for non-admin users. An unauthorized user can replace a device’s stored image file under the server media directory. This allows modification of UI-visible device media and any downstream workflows that rely on the persisted image, despite other device update paths correctly rejecting the same identity. This vulnerability is fixed in 6.13.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44314.json"
}
References

Affected packages

Git / github.com/traccar/traccar

Affected ranges

Type
GIT
Repo
https://github.com/traccar/traccar
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.13.0"
        }
    ],
    "cpe": "cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*"
}

Affected versions

v2.*
v2.0
v2.1
v2.10
v2.11
v2.12
v2.2
v2.3
v2.4
v2.5
v2.6
v2.7
v2.8
v2.9
v3.*
v3.0
v3.1
v3.10
v3.11
v3.12
v3.13
v3.14
v3.15
v3.16
v3.17
v3.2
v3.4
v3.5
v3.6
v3.7
v3.8
v3.9
v4.*
v4.0
v4.1
v4.10
v4.11
v4.12
v4.13
v4.14
v4.15
v4.2
v4.3
v4.4
v4.5
v4.6
v4.7
v4.8
v4.9
v5.*
v5.0
v5.1
v5.10
v5.11
v5.12
v5.2
v5.3
v5.4
v5.5
v5.6
v5.7
v5.8
v5.9
v6.*
v6.0
v6.1
v6.10.0
v6.11.0
v6.11.1
v6.12.0
v6.12.1
v6.12.2
v6.2
v6.3
v6.4
v6.5
v6.6
v6.7.0
v6.7.1
v6.7.2
v6.7.3
v6.8.0
v6.8.1
v6.9.0
v6.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44314.json"