CVE-2026-23521

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-23521
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device `uniqueId` to an absolute path. When uploading a device image, Traccar uses that `uniqueId` to build the filesystem path without enforcing that the resolved path stays under the media root. This allows writing files outside the media directory. As of time of publication, it is unclear whether a fix is available.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/traccar/traccar/security/advisories/GHSA-rc28-cvfc-chqr Exploit Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*
History

26 Feb 2026, 16:27

Type Values Removed Values Added
Summary
  • (es) Las versiones del sistema de seguimiento GPS de código abierto Traccar hasta la 6.11.1 inclusive contienen un problema en el que los usuarios autenticados que pueden crear o editar dispositivos pueden establecer el 'uniqueId' de un dispositivo a una ruta absoluta. Al cargar una imagen de dispositivo, Traccar utiliza ese 'uniqueId' para construir la ruta del sistema de archivos sin asegurar que la ruta resuelta permanezca bajo la raíz de medios. Esto permite escribir archivos fuera del directorio de medios. Al momento de la publicación, no está claro si hay una solución disponible.
First Time Traccar
Traccar traccar
CPE cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*
References () https://github.com/traccar/traccar/security/advisories/GHSA-rc28-cvfc-chqr - () https://github.com/traccar/traccar/security/advisories/GHSA-rc28-cvfc-chqr - Exploit, Mitigation, Vendor Advisory

23 Feb 2026, 21:19

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-23 21:19

Updated : 2026-02-26 16:27

NVD link : CVE-2026-23521

Mitre link : CVE-2026-23521

CVE.ORG link : CVE-2026-23521

JSON object : View

Products Affected

traccar

  • traccar
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-73

External Control of File Name or Path