Description
Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and then immediately streams the uploaded body into mediaManager.createFileStream(...). Unlike the generic mutation path in BaseObjectResource.update and the explicit device mutation handler updateAccumulators, this route never invokes permissionsService.checkEdit(getUserId(), Device.class, false, false). The skipped guard is exactly where Traccar enforces readonly and deviceReadonly restrictions for non-admin users. An unauthorized user can replace a device’s stored image file under the server media directory. This allows modification of UI-visible device media and any downstream workflows that rely on the persisted image, despite other device update paths correctly rejecting the same identity. This vulnerability is fixed in 6.13.0.
Published: 2026-05-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Traccar’s image upload endpoint performs device authorization but skips the edit permission check that normally protects against modification by non‑admin users. This oversight, captured as a CWE‑863 flaw, allows a read‑only user to upload a new image that replaces the existing device image under the server media directory. The compromise is limited to integrity; the attacker cannot read data or execute code, but the altered image affects UI display and any downstream processes that rely on the image file. The vulnerability exists only for authenticated sessions and does not provide broader system access.

Affected Systems

The vendor is Traccar. The impacted product is the Traccar GPS tracking system. Any installation of Traccar running a version earlier than 6.13.0 is vulnerable. Versions 6.13.0 and later include a fix that re‑enforces the edit permission on the upload route.

Risk and Exploitability

The CVSS score of 5.3 denotes moderate severity. No EPSS score is reported, and the weakness is not currently listed in the CISA KEV catalog. Attackers would need to authenticate to a Traccar account that has read‑only role but not edit rights, which is typical for many deployment scenarios. Once authenticated, the attacker can upload an image of their choice and overwrite the device’s stored image file. The lack of secrecy or privilege escalation in the flaw means the risk is primarily to integrity and downstream workflows rather than to confidentiality or availability, but the ease of exploitation via a web form makes it a practical threat in environments where read‑only users are plentiful.

Generated by OpenCVE AI on May 26, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traccar to version 6.13.0 or later
  • Configure the image upload endpoint to allow writes only to administrator roles or explicitly remove public upload access as a temporary workaround
  • Review and adjust role‑based permissions to ensure that read‑only users cannot transmit data to the upload service

Generated by OpenCVE AI on May 26, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Tue, 26 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Traccar
Traccar traccar
Vendors & Products Traccar
Traccar traccar

Tue, 26 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and then immediately streams the uploaded body into mediaManager.createFileStream(...). Unlike the generic mutation path in BaseObjectResource.update and the explicit device mutation handler updateAccumulators, this route never invokes permissionsService.checkEdit(getUserId(), Device.class, false, false). The skipped guard is exactly where Traccar enforces readonly and deviceReadonly restrictions for non-admin users. An unauthorized user can replace a device’s stored image file under the server media directory. This allows modification of UI-visible device media and any downstream workflows that rely on the persisted image, despite other device update paths correctly rejecting the same identity. This vulnerability is fixed in 6.13.0.
Title Traccar: Missing edit authorization on device image upload allows read-only users to write files
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Traccar Traccar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-26T17:36:58.670Z

Reserved: 2026-05-05T19:00:06.022Z

Link: CVE-2026-44314

cve-icon Vulnrichment

Updated: 2026-05-26T17:35:24.636Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:46.243

Modified: 2026-06-17T10:50:29.137

Link: CVE-2026-44314

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T18:45:12Z

Weaknesses