CVE-2026-25649
Published: 23 February 2026
Summary
CVE-2026-25649 is a high-severity CSRF (CWE-352) vulnerability in Traccar Traccar. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Validates redirect targets and URLs to ensure they conform to allowed destinations.
Detects anomalous request patterns consistent with cross-site request forgery.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Open redirect in public OIDC endpoints (T1190) directly enables theft of OAuth authorization codes leading to access tokens (T1528) and subsequent account takeover.
NVD Description
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The `redirect_uri` parameter is…
more
not validated against a whitelist, allowing attackers to redirect authorization codes to attacker-controlled URLs, enabling account takeover on any OAuth-integrated application. As of time of publication, it is unclear whether a fix is available.
Deeper analysisAI
CVE-2026-25649 is an open redirect vulnerability (CWE-601, CWE-352) in two OpenID Connect (OIDC)-related endpoints of the Traccar open-source GPS tracking system, affecting all versions up to and including 6.11.1. The flaw stems from a lack of validation for the `redirect_uri` parameter against a whitelist, enabling authenticated users to manipulate OAuth 2.0 authorization code redirects.
Authenticated attackers with low privileges can exploit this vulnerability remotely (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R). By controlling the `redirect_uri`, they can steal authorization codes and redirect them to attacker-controlled URLs, achieving account takeover on any OAuth-integrated application and resulting in high confidentiality and integrity impacts (CVSS:3.1 score of 7.3; C:H/I:H/A:N/S:U).
The primary advisory, published on GitHub at https://github.com/traccar/traccar/security/advisories/GHSA-ccc7-4r59-4pp7 on 2026-02-23, describes the issue but notes that as of the time of publication, it is unclear whether a fix is available. Security practitioners should monitor for updates and consider restricting authenticated access or disabling OIDC endpoints until mitigation is confirmed.
Details
- CWE(s)