CVE-2025-68930

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. This allows a remote attacker to bypass the Same Origin Policy (SOP) and establish a full-duplex WebSocket connection using a legitimate user's credentials (JSESSIONID). As of time of publication, it is unclear whether a fix is available.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/traccar/traccar/security/advisories/GHSA-69x6-wcx2-vghp	Vendor Advisory Exploit Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*

History

26 Feb 2026, 16:30

Type	Values Removed	Values Added
References	~~() https://github.com/traccar/traccar/security/advisories/GHSA-69x6-wcx2-vghp -~~	() https://github.com/traccar/traccar/security/advisories/GHSA-69x6-wcx2-vghp - Vendor Advisory, Exploit, Mitigation
CPE		cpe:2.3:a:traccar:traccar::::::::
Summary		(es) Las versiones del sistema de seguimiento GPS de código abierto Traccar hasta la 6.11.1 inclusive contienen una vulnerabilidad de Secuestro de WebSocket entre Sitios (CSWSH) en el endpoint `/api/socket`. La aplicación no valida el encabezado 'Origin' durante el handshake de WebSocket. Esto permite a un atacante remoto eludir la Política del Mismo Origen (SOP) y establecer una conexión WebSocket full-duplex utilizando las credenciales de un usuario legítimo (JSESSIONID). En el momento de la publicación, no está claro si hay una solución disponible.
First Time		Traccar Traccar traccar

23 Feb 2026, 21:19

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-23 21:19

Updated : 2026-02-26 16:30

NVD link : CVE-2025-68930

Mitre link : CVE-2025-68930

CVE.ORG link : CVE-2025-68930

JSON object : View

Products Affected

traccar

traccar

CWE

CWE-1385

Missing Origin Validation in WebSockets

{"id": "CVE-2025-68930", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-02-23T21:19:08.500", "references": [{"url": "https://github.com/traccar/traccar/security/advisories/GHSA-69x6-wcx2-vghp", "tags": ["Vendor Advisory", "Exploit", "Mitigation"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1385"}]}], "descriptions": [{"lang": "en", "value": "Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. This allows a remote attacker to bypass the Same Origin Policy (SOP) and establish a full-duplex WebSocket connection using a legitimate user's credentials (JSESSIONID). As of time of publication, it is unclear whether a fix is available."}, {"lang": "es", "value": "Las versiones del sistema de seguimiento GPS de c\u00f3digo abierto Traccar hasta la 6.11.1 inclusive contienen una vulnerabilidad de Secuestro de WebSocket entre Sitios (CSWSH) en el endpoint `/api/socket`. La aplicaci\u00f3n no valida el encabezado 'Origin' durante el handshake de WebSocket. Esto permite a un atacante remoto eludir la Pol\u00edtica del Mismo Origen (SOP) y establecer una conexi\u00f3n WebSocket full-duplex utilizando las credenciales de un usuario leg\u00edtimo (JSESSIONID). En el momento de la publicaci\u00f3n, no est\u00e1 claro si hay una soluci\u00f3n disponible."}], "lastModified": "2026-02-26T16:30:45.903", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "76FAA1A2-2E75-4EAC-A7FA-BD790B7986A6", "versionEndIncluding": "6.11.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}