ByteOS Network

CVE Vulnerability Details :

CVE-2026-25649

PUBLISHED

More Info Official Page

Assigner-GitHub_M

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-23 Feb, 2026 | 21:12

Updated At-23 Feb, 2026 | 21:12

▼CVE Numbering Authority (CNA)

Traccar Vulnerable to Authorization Code Theft via Open Redirect in OIDC Provider Endpoints

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The `redirect_uri` parameter is not validated against a whitelist, allowing attackers to redirect authorization codes to attacker-controlled URLs, enabling account takeover on any OAuth-integrated application. As of time of publication, it is unclear whether a fix is available.

Affected Products

Vendor

traccar

Product

traccar

Versions

Affected

<= 6.11.1

Problem Types

Type	CWE ID	Description
CWE	CWE-352	CWE-352: Cross-Site Request Forgery (CSRF)
CWE	CWE-601	CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

Type: CWE

CWE ID: CWE-352

Description: CWE-352: Cross-Site Request Forgery (CSRF)

Type: CWE

CWE ID: CWE-601

Description: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

Metrics

Version	Base score	Base severity	Vector
3.1	7.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Version: 3.1

Base score: 7.3

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

References

Hyperlink	Resource
https://github.com/traccar/traccar/security/advisories/GHSA-ccc7-4r59-4pp7	x_refsource_CONFIRM

Hyperlink: https://github.com/traccar/traccar/security/advisories/GHSA-ccc7-4r59-4pp7

Resource:

x_refsource_CONFIRM

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References