PT-2026-43299 · Traccar · Traccar
Forimoc
+1
·
Published
2026-05-26
·
Updated
2026-05-27
·
CVE-2026-44314
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Traccar versions prior to 6.13.0
Description
An authorization bypass exists in the GPS tracking system where the 'DeviceResource.uploadImage' endpoint fails to invoke the
permissionsService.checkEdit() function. While the system uses Condition.Permission(User.class, getUserId(), Device.class) for initial authorization, it skips the guard that enforces readonly and deviceReadonly restrictions for non-admin users. This allows an unauthorized user to replace a device's stored image file within the server media directory, modifying UI-visible media and affecting downstream workflows that rely on the persisted image.Recommendations
Update to version 6.13.0.
Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Traccar