Cyber Resilience

CVE-2026-25649

HighPublic PoC

Published: 23 February 2026

Published
23 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0014 3.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25649 is a high-severity CSRF (CWE-352) vulnerability in Traccar Traccar. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-25649 is an open redirect vulnerability (CWE-601, CWE-352) in two OpenID Connect (OIDC)-related endpoints of the Traccar open-source GPS tracking system, affecting all versions up to and including 6.11.1. The flaw stems from a lack of validation for the `redirect_uri` parameter against a whitelist, enabling authenticated users to manipulate OAuth 2.0 authorization code redirects.

Authenticated attackers with low privileges can exploit this vulnerability remotely (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R). By controlling the `redirect_uri`, they can steal authorization codes and redirect them to attacker-controlled URLs, achieving account takeover on any OAuth-integrated application and resulting in high confidentiality and integrity impacts (CVSS:3.1 score of 7.3; C:H/I:H/A:N/S:U).

The primary advisory, published on GitHub at https://github.com/traccar/traccar/security/advisories/GHSA-ccc7-4r59-4pp7 on 2026-02-23, describes the issue but notes that as of the time of publication, it is unclear whether a fix is available. Security practitioners should monitor for updates and consider restricting authenticated access or disabling OIDC endpoints until mitigation is confirmed.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The `redirect_uri` parameter is…

more

not validated against a whitelist, allowing attackers to redirect authorization codes to attacker-controlled URLs, enabling account takeover on any OAuth-integrated application. As of time of publication, it is unclear whether a fix is available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

Open redirect in public OIDC endpoints (T1190) directly enables theft of OAuth authorization codes leading to access tokens (T1528) and subsequent account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25648Same product: Traccar Traccar
CVE-2025-68930Same product: Traccar Traccar
CVE-2026-3872Shared CWE-601
CVE-2026-4984Shared CWE-352
CVE-2026-0508Shared CWE-601
CVE-2025-23467Shared CWE-352
CVE-2018-25170Shared CWE-352
CVE-2025-22336Shared CWE-352
CVE-2025-23821Shared CWE-352
CVE-2025-22582Shared CWE-352

Affected Assets

traccar
traccar
≤ 6.11.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the redirect_uri parameter against an approved list, blocking the open redirect that steals OAuth codes.

prevent

Enforces approved information flow rules so authorization codes cannot be redirected to attacker-controlled endpoints.

prevent

Enforces access-control decisions on OIDC endpoints, preventing unauthorized redirection of authorization codes.

References