CVE-2026-25649
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Tags
Description
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The `redirect_uri` parameter is not validated against a whitelist, allowing attackers to redirect authorization codes to attacker-controlled URLs, enabling account takeover on any OAuth-integrated application. As of time of publication, it is unclear whether a fix is available.
Analysis
Traccar GPS tracking system through version 6.11.1 allows authenticated users to hijack OAuth 2.0 authorization codes through unvalidated redirect URIs in OIDC endpoints, enabling account takeover on integrated applications. The vulnerability stems from missing whitelist validation on the redirect_uri parameter, permitting attackers to exfiltrate authorization codes to attacker-controlled servers. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Traccar deployments and confirm versions currently in use; restrict network access to OIDC-related endpoints to trusted networks only. Within 7 days: Implement WAF rules to block suspicious redirect parameters on affected endpoints; disable OAuth/OIDC functionality if not operationally critical. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today