Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper Access Control, Missing Authorization vulnerability in HAVELSAN Inc. Geographic Tracking System allows Accessing Functionality Not Properly Constrained by ACLs.
This issue affects Geographic Tracking System: before v0.0.2.
AnalysisAI
Authorization bypass in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to access restricted functionality and sensitive geospatial tracking data due to missing ACL enforcement. The CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) vector and CWE-284 classification indicate trivially exploitable broken access control affecting confidentiality and integrity of tracked entities. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of HAVELSAN Geographic Tracking System versions before v0.0.2, per CVSS AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Risk signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker reachable on the same network as the Geographic Tracking System sends direct HTTP requests to API routes that the UI normally gates behind login or role checks, receiving location records, tracked-entity metadata, or write access to tracking configuration without presenting valid credentials. Because attack complexity is low and no user interaction is needed, this can be scripted to enumerate tracked assets at scale. … |
| Remediation | Upgrade HAVELSAN Geographic Tracking System to v0.0.2 or later, which per the affected-version range contains the access-control fix; consult the TR-CERT bulletin at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0325 for vendor coordination details. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Conduct full inventory of HAVELSAN Geographic Tracking System deployments; isolate any pre-0.0.2 instances from external and untrusted networks. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Geographic Tracking System
View allAuthorization bypass in HAVELSAN Inc. Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated
Information disclosure in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated att
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34841
GHSA-q66c-6wwq-qf8f