CVE-2026-25649

Name of the Vulnerable Software and Affected Versions Traccar versions up to and including 6.11.1

Description The Traccar open-source GPS tracking system is affected by an issue where authenticated users can obtain OAuth 2.0 authorization codes through an open redirect flaw in two OpenID Connect (OIDC)-related endpoints. The redirect uri parameter is not properly validated against a whitelist, allowing attackers to redirect authorization codes to URLs under their control. This can lead to account takeover on any application integrated with OAuth.

Recommendations Versions up to and including 6.11.1 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.