PT-2026-43299 · Traccar · Traccar

Forimoc

+1

·

Published

2026-05-26

·

Updated

2026-05-27

·

CVE-2026-44314

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Traccar versions prior to 6.13.0
Description An authorization bypass exists in the GPS tracking system where the 'DeviceResource.uploadImage' endpoint fails to invoke the permissionsService.checkEdit() function. While the system uses Condition.Permission(User.class, getUserId(), Device.class) for initial authorization, it skips the guard that enforces readonly and deviceReadonly restrictions for non-admin users. This allows an unauthorized user to replace a device's stored image file within the server media directory, modifying UI-visible media and affecting downstream workflows that rely on the persisted image.
Recommendations Update to version 6.13.0.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44314
GHSA-33V4-5X2G-7MJM

Affected Products

Traccar