Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authorization bypass through User-Controlled key vulnerability in HAVELSAN Inc. Geographic Tracking System allows Exploitation of Trusted Identifiers.
This issue affects Geographic Tracking System: before v0.0.2.
AnalysisAI
Authorization bypass in HAVELSAN Inc. Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to access or modify other users' data by manipulating user-controlled identifiers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of HAVELSAN Geographic Tracking System prior to v0.0.2, consistent with the CVSS vector AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N indicates a high-severity, easily reachable issue: network-accessible, low complexity, no privileges, no user interaction, with high confidentiality and integrity impact (availability unaffected, consistent with data tampering rather than service disruption). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker reaches the Geographic Tracking System web interface, authenticates as (or registers) any low-privilege user or interacts with an unauthenticated endpoint, and submits requests that reference object identifiers belonging to other users - for example by incrementing a tracking-record ID in a URL or API parameter. Because the server trusts the client-supplied key without enforcing an ownership check, the attacker reads sensitive geolocation data and can modify records belonging to other tenants. … |
| Remediation | Upgrade Geographic Tracking System to v0.0.2 or later, which is the patched version per the advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0325 (vendor-released patch: v0.0.2). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all instances of HAVELSAN GTS in production and assess user exposure scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Geographic Tracking System
View allAuthorization bypass in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attac
Information disclosure in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated att
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34840
GHSA-978c-95pr-x896