CVE-2026-23521 - Vulnerability Details

- Traccar vulnerable to Path Traversal and External Control of File Name or Path

Description

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device `uniqueId` to an absolute path. When uploading a device image, Traccar uses that `uniqueId` to build the filesystem path without enforcing that the resolved path stays under the media root. This allows writing files outside the media directory. As of time of publication, it is unclear whether a fix is available.

Published: 2026-02-23

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Traccar allows authenticated users who can create or edit devices to set the device uniqueId to an absolute path. When an image for the device is uploaded, the application uses this uniqueId to build a filesystem path without ensuring that the resulting path remains under the configured media root. This results in the ability to write files outside the intended media directory, potentially overwriting critical system files or placing malicious files in executable locations.

Affected Systems

The vulnerability affects the Traccar open‑source GPS tracking system, versions up to and including 6.11.1. No other vendor or product is listed, and no specific patch version has been released at the time of publication.

Risk and Exploitability

With a CVSS score of 6.5 the severity is moderate, and the EPSS score indicates a very low current exploitation probability (<1%). The flaw is not listed in the CISA KEV catalog. Exploitation requires an authenticated Traccar account with device creation or editing rights; the attacker then crafts a uniqueId containing an absolute path and uploads an image, causing the server to write the payload outside the media root.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

traccar

affected

Version	Status	Constraints
`<= 6.11.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Traccar

100%

Version	Status	Scheme	Platform
`[0,6.11.1]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Traccar update once the vendor releases a fix for the path traversal issue or upgrade to a fixed version.
Restrict device creation and editing rights to administrative users only, removing the ability for regular accounts to set absolute uniqueIds.
Configure the media root directory and its file system permissions so that Traccar can write only within that folder and prevent writes to the rest of the server.
If no vendor patch is available, modify the device image upload handling to reject or sanitize absolute paths supplied in the uniqueId before constructing the file path.

Generated by OpenCVE AI on April 17, 2026 at 16:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00077.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/traccar/traccar/security/advisories/GHSA-rc28-cvfc-chqr

History

Thu, 26 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Feb 2026 16:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:traccar:traccar::::::::

Tue, 24 Feb 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Traccar Traccar traccar
Vendors & Products		Traccar Traccar traccar

Mon, 23 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device `uniqueId` to an absolute path. When uploading a device image, Traccar uses that `uniqueId` to build the filesystem path without enforcing that the resolved path stays under the media root. This allows writing files outside the media directory. As of time of publication, it is unclear whether a fix is available.
Title		Traccar vulnerable to Path Traversal and External Control of File Name or Path
Weaknesses		CWE-22 CWE-73
References		https://github.com/traccar/traccar/security/advisories/GHSA-rc28-cvfc-chqr
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Traccar Traccar

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-23T20:57:31.195Z

Updated: 2026-02-25T15:15:06.269Z

Reserved: 2026-01-13T18:22:43.980Z

Link: CVE-2026-23521

Vulnrichment

Updated: 2026-02-25T15:14:57.822Z

NVD

Status : Analyzed

Published: 2026-02-23T21:19:09.990

Modified: 2026-02-26T16:27:57.280

Link: CVE-2026-23521

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object