Skip to main content

Geographic Tracking System EUVDEUVD-2026-34841

| CVE-2026-6209 CRITICAL
Improper Access Control (CWE-284)
2026-06-05 TR-CERT GHSA-q66c-6wwq-qf8f
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 15:01 vuln.today

DescriptionCVE.org

Improper Access Control, Missing Authorization vulnerability in HAVELSAN Inc. Geographic Tracking System allows Accessing Functionality Not Properly Constrained by ACLs.

This issue affects Geographic Tracking System: before v0.0.2.

AnalysisAI

Authorization bypass in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to access restricted functionality and sensitive geospatial tracking data due to missing ACL enforcement. The CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) vector and CWE-284 classification indicate trivially exploitable broken access control affecting confidentiality and integrity of tracked entities. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Geographic Tracking System instance
Delivery
Send unauthenticated request to protected API
Exploit
Bypass missing ACL check
Execution
Enumerate tracked entities and locations
Impact
Exfiltrate or tamper with tracking data

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of HAVELSAN Geographic Tracking System versions before v0.0.2, per CVSS AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reachable on the same network as the Geographic Tracking System sends direct HTTP requests to API routes that the UI normally gates behind login or role checks, receiving location records, tracked-entity metadata, or write access to tracking configuration without presenting valid credentials. Because attack complexity is low and no user interaction is needed, this can be scripted to enumerate tracked assets at scale. …
Remediation Upgrade HAVELSAN Geographic Tracking System to v0.0.2 or later, which per the affected-version range contains the access-control fix; consult the TR-CERT bulletin at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0325 for vendor coordination details. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Conduct full inventory of HAVELSAN Geographic Tracking System deployments; isolate any pre-0.0.2 instances from external and untrusted networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-34841 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy