EUVD-2026-31852Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and then immediately streams the uploaded body into mediaManager.createFileStream(...). Unlike the generic mutation path in BaseObjectResource.update and the explicit device mutation handler updateAccumulators, this route never invokes permissionsService.checkEdit(getUserId(), Device.class, false, false). The skipped guard is exactly where Traccar enforces readonly and deviceReadonly restrictions for non-admin users. An unauthorized user can replace a device’s stored image file under the server media directory. This allows modification of UI-visible device media and any downstream workflows that rely on the persisted image, despite other device update paths correctly rejecting the same identity. This vulnerability is fixed in 6.13.0.
AnalysisAI
Incorrect authorization in Traccar's DeviceResource.uploadImage endpoint allows authenticated low-privilege users to overwrite device image files on the server, bypassing readonly and deviceReadonly access restrictions that all other device mutation paths correctly enforce. Traccar versions prior to 6.13.0 are affected, and the root cause is a missing permissionsService.checkEdit call in the image upload route that is present everywhere else in the mutation surface. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated Traccar user session (PR:L confirmed by CVSS vector); unauthenticated access is not sufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.3 (Medium) is consistent with the constrained impact: the vector AV:N/AC:L/AT:N/PR:L/UI:N indicates network-accessible, low-complexity exploitation by any authenticated user, with no additional prerequisites and no user interaction required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid low-privilege Traccar account - such as a user account explicitly marked readonly or deviceReadonly - crafts a multipart HTTP POST request directly to the DeviceResource.uploadImage endpoint for a device they can observe in the UI. Because the route validates device ownership but skips the checkEdit permission guard, the server accepts the upload and overwrites the target device's stored image file on disk. … |
| Remediation | The primary fix is upgrading to Traccar 6.13.0, which resolves the issue by adding the missing permissionsService.checkEdit call to the DeviceResource.uploadImage route, bringing it in line with all other device mutation endpoints. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today