CVE-2026-25649
Published: 23 February 2026
Summary
CVE-2026-25649 is a high-severity CSRF (CWE-352) vulnerability in Traccar Traccar. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-25649 is an open redirect vulnerability (CWE-601, CWE-352) in two OpenID Connect (OIDC)-related endpoints of the Traccar open-source GPS tracking system, affecting all versions up to and including 6.11.1. The flaw stems from a lack of validation for the `redirect_uri` parameter against a whitelist, enabling authenticated users to manipulate OAuth 2.0 authorization code redirects.
Authenticated attackers with low privileges can exploit this vulnerability remotely (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R). By controlling the `redirect_uri`, they can steal authorization codes and redirect them to attacker-controlled URLs, achieving account takeover on any OAuth-integrated application and resulting in high confidentiality and integrity impacts (CVSS:3.1 score of 7.3; C:H/I:H/A:N/S:U).
The primary advisory, published on GitHub at https://github.com/traccar/traccar/security/advisories/GHSA-ccc7-4r59-4pp7 on 2026-02-23, describes the issue but notes that as of the time of publication, it is unclear whether a fix is available. Security practitioners should monitor for updates and consider restricting authenticated access or disabling OIDC endpoints until mitigation is confirmed.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7482
Vulnerability details
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The `redirect_uri` parameter is…
more
not validated against a whitelist, allowing attackers to redirect authorization codes to attacker-controlled URLs, enabling account takeover on any OAuth-integrated application. As of time of publication, it is unclear whether a fix is available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Open redirect in public OIDC endpoints (T1190) directly enables theft of OAuth authorization codes leading to access tokens (T1528) and subsequent account takeover.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the redirect_uri parameter against an approved list, blocking the open redirect that steals OAuth codes.
Enforces approved information flow rules so authorization codes cannot be redirected to attacker-controlled endpoints.
Enforces access-control decisions on OIDC endpoints, preventing unauthorized redirection of authorization codes.