Skip to main content

Geographic Tracking System CVE-2026-6208

| EUVDEUVD-2026-34840 CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-05 TR-CERT GHSA-978c-95pr-x896
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 15:00 vuln.today

DescriptionCVE.org

Authorization bypass through User-Controlled key vulnerability in HAVELSAN Inc. Geographic Tracking System allows Exploitation of Trusted Identifiers.

This issue affects Geographic Tracking System: before v0.0.2.

AnalysisAI

Authorization bypass in HAVELSAN Inc. Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to access or modify other users' data by manipulating user-controlled identifiers. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed Geographic Tracking System instance
Delivery
Identify object-reference endpoint
Exploit
Substitute victim's identifier in request
Execution
Server skips authorization check
Impact
Read or modify victim's tracking records

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of HAVELSAN Geographic Tracking System prior to v0.0.2, consistent with the CVSS vector AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N indicates a high-severity, easily reachable issue: network-accessible, low complexity, no privileges, no user interaction, with high confidentiality and integrity impact (availability unaffected, consistent with data tampering rather than service disruption). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker reaches the Geographic Tracking System web interface, authenticates as (or registers) any low-privilege user or interacts with an unauthenticated endpoint, and submits requests that reference object identifiers belonging to other users - for example by incrementing a tracking-record ID in a URL or API parameter. Because the server trusts the client-supplied key without enforcing an ownership check, the attacker reads sensitive geolocation data and can modify records belonging to other tenants. …
Remediation Upgrade Geographic Tracking System to v0.0.2 or later, which is the patched version per the advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0325 (vendor-released patch: v0.0.2). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all instances of HAVELSAN GTS in production and assess user exposure scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6208 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy