What is the CVSS score of CVE-2026-25649?

CVE-2026-25649 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Open Redirect are affected by CVE-2026-25649?

Traccar GPS tracking systems up to version 6.11.1 are vulnerable to OAuth credential theft through open redirect attacks, allowing authenticated users to compromise accounts of other system users.

Is there a public PoC exploit available for CVE-2026-25649?

Yes, a public proof-of-concept exploit is available for CVE-2026-25649. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-25649?

Within 24 hours: Inventory all Traccar deployments and confirm versions currently in use; restrict network access to OIDC-related endpoints to trusted networks only. Within 7 days: Implement WAF rules to block suspicious redirect parameters on affected endpoints; disable OAuth/OIDC functionality if not operationally critical. Within 30 days: Monitor vendor communications for patch availability; evaluate alternative GPS tracking solutions if Traccar cannot be patched within 90 days; conduct access logs review for signs of exploitation.

Open Redirect CVE-2026-25649

HIGH

Cross-Site Request Forgery (CSRF) (CWE-352)

2026-02-23 security-advisories@github.com

Open Redirect Traccar

7.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.3 HIGH

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 26, 2026 - 16:23 vuln.today

Public exploit code

CVE Published

Feb 23, 2026 - 22:16 nvd

HIGH 7.3

DescriptionGitHub Advisory

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The redirect_uri parameter is not validated against a whitelist, allowing attackers to redirect authorization codes to attacker-controlled URLs, enabling account takeover on any OAuth-integrated application. As of time of publication, it is unclear whether a fix is available.

AnalysisAI

Traccar GPS tracking system through version 6.11.1 allows authenticated users to hijack OAuth 2.0 authorization codes through unvalidated redirect URIs in OIDC endpoints, enabling account takeover on integrated applications. The vulnerability stems from missing whitelist validation on the redirect_uri parameter, permitting attackers to exfiltrate authorization codes to attacker-controlled servers. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticated user initiates OAuth flow

Delivery

Craft malicious redirect_uri parameter

Exploit

OIDC endpoint redirects to attacker URL

Execution

Authorization code sent to attacker

Impact

Attacker exchanges code for victim account access

Access

Authenticated user initiates OAuth flow

Delivery

Craft malicious redirect_uri parameter

Exploit

OIDC endpoint redirects to attacker URL

Execution

Authorization code sent to attacker

Impact

Attacker exchanges code for victim account access

Vulnerability AssessmentAI

Exploitation	Traccar version 6.11.1 or earlier with OAuth 2.0/OIDC integration enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.3 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker (requires authentication) could exploit this vulnerability to compromise the affected system.
Remediation	Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Traccar deployments and confirm versions currently in use; restrict network access to OIDC-related endpoints to trusted networks only. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53523 MEDIUM This Month

6.8 Jun 12

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire

CVE-2026-45566 MEDIUM This Month

6.1 Jun 10

Open redirect in Roxy-WI versions 8.2.6.4 and prior allows unauthenticated remote attackers to silently redirect authent

CVE-2026-50089 MEDIUM This Month

6.1 Jun 12

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara

CVE-2026-10837 MEDIUM This Month

5.1 Jun 17

Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP

CVE-2026-10839 MEDIUM This Month