Description
Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an attacker-controlled server. The app registers a custom org.traccar.client://config deep-link scheme that silently writes attacker-supplied parameters (server URL, device ID, accuracy, distance, and interval) into the app's persistent configuration with no confirmation, notification, or visual indication. A single crafted link delivered via SMS, email, a webpage, or any installed app can therefore reconfigure the app the moment the victim taps it, with no special permissions required. As a result, an attacker can covertly redirect all of the victim's GPS telemetry to their own server at maximum precision and frequency, and the change persists across restarts. This gives the attacker continuous, real-time tracking of the victim's location. This issue has been fixed in version 9.7.20.
Published: 2026-06-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Traccar Client is a mobile GPS tracking application that sends location data to a configured server. In versions 9.7.19 and earlier the app registers a custom deep‑link scheme org.traccar.client://config that accepts parameters such as server URL, device ID, accuracy, distance and interval. A single crafted link, delivered via SMS, email, a web page or any other app, can be opened by the user without any prompt or visual indication; the app silently writes the attacker’s supplied values into its persistent configuration. As a result, all subsequent telemetry is routed to the attacker‑controlled server at full precision and maximum frequency, and the change persists across device reboots and application restarts. The affected product is Traccar Client, available from the vendor traccar:traccar-client, for all releases 9.7.19 and earlier. The issue was fixed in version 9.7.20 and later. The vulnerability has a CVSS score of 9.3, indicating a high‑severity defect. The EPSS score is below 1 %, suggesting that exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. An attacker only needs the ability to send the crafted deep‑link URL to the victim; no additional privileges or special conditions are required. Because the attack requires user interaction to open the link, the likelihood of automated exploitation is limited, but the impact on confidentiality and integrity is significant due to the continuous real‑time tracking of the victim’s location.

Affected Systems

The affected product is Traccar Client, produced by traccar:traccar-client, versions 9.7.19 and earlier. The vulnerability was fixed in version 9.7.20.

Risk and Exploitability

The vulnerability is severe with a CVSS score of 9.3, but the EPSS score is below 1 %, indicating low current exploitation probability. The attack requires a victim to tap a crafted org.traccar.client://config deep‑link URL that may be sent via SMS, e‑mail or a web page; no elevated privileges are needed. If exploited, the attacker can silently overwrite the app’s persistent configuration, redirecting all GPS telemetry to an attacker‑controlled server with maximum precision and frequency, and this reconfiguration persists across restarts. The vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on June 17, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Traccar Client to version 9.7.20 or later.
  • Remove or disable the org.traccar.client://config deep‑link scheme in the device’s app settings to prevent reconfiguration.
  • Verify that only the official Traccar Client application is installed and that no unauthorized apps are handling the custom link scheme.

Generated by OpenCVE AI on June 17, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Traccar
Traccar traccar
Vendors & Products Traccar
Traccar traccar

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an attacker-controlled server. The app registers a custom org.traccar.client://config deep-link scheme that silently writes attacker-supplied parameters (server URL, device ID, accuracy, distance, and interval) into the app's persistent configuration with no confirmation, notification, or visual indication. A single crafted link delivered via SMS, email, a webpage, or any installed app can therefore reconfigure the app the moment the victim taps it, with no special permissions required. As a result, an attacker can covertly redirect all of the victim's GPS telemetry to their own server at maximum precision and frequency, and the change persists across restarts. This gives the attacker continuous, real-time tracking of the victim's location. This issue has been fixed in version 9.7.20.
Title Traccar Client: silent configuration hijack via unverified deep link redirects all GPS telemetry
Weaknesses CWE-940
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-17T13:53:55.957Z

Reserved: 2026-05-22T19:10:35.747Z

Link: CVE-2026-48745

cve-icon Vulnrichment

Updated: 2026-06-17T13:53:37.107Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:45:16Z

Weaknesses
  • CWE-940

    Improper Verification of Source of a Communication Channel