CVE-2026-23521
📋 TL;DR
This vulnerability allows authenticated users in Traccar GPS tracking systems to write files outside the intended media directory by setting a device's uniqueId to an absolute path. Attackers could potentially upload malicious files to arbitrary locations on the server. All Traccar instances up to version 6.11.1 are affected.
💻 Affected Systems
- Traccar GPS Tracking System
📦 What is this software?
Traccar by Traccar
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could write malicious files (webshells, backdoors) to sensitive system directories, potentially leading to remote code execution and full server compromise.
Likely Case
Authenticated users could write files outside the media directory, potentially disrupting system operations or storing malicious content in unexpected locations.
If Mitigated
With proper access controls limiting which users can create/edit devices, impact is limited to authorized users who might abuse their privileges.
🎯 Exploit Status
Exploitation requires authenticated access with device management permissions. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://github.com/traccar/traccar/security/advisories/GHSA-rc28-cvfc-chqr
Restart Required: Yes
Instructions:
1. Monitor the Traccar GitHub repository for security updates. 2. When a patched version is released, update Traccar to the latest version. 3. Restart the Traccar service after updating.
🔧 Temporary Workarounds
Restrict Device Management Permissions
allLimit which authenticated users can create or edit devices to only trusted administrators.
Implement File System Restrictions
linuxUse operating system permissions to restrict the Traccar process from writing outside the media directory.
chroot jail the Traccar process or use containerization with restricted filesystem access
🧯 If You Can't Patch
- Implement strict access controls to limit device creation/edit permissions to essential administrators only.
- Monitor file system writes by the Traccar process and alert on writes outside the media directory.
🔍 How to Verify
Check if Vulnerable:
Check your Traccar version. If it's 6.11.1 or earlier, you are vulnerable if users have device management permissions.Check Version:
Check the Traccar web interface admin panel or examine the application version in configuration files.Verify Fix Applied:
After updating to a patched version, test that setting an absolute path as device uniqueId no longer allows file writes outside the media directory.📡 Detection & Monitoring
Log Indicators:
- File write operations outside the expected media directory path
- Device creation/modification with unusual uniqueId values containing path traversal characters
Network Indicators:
- HTTP POST requests to device creation/update endpoints with suspicious uniqueId parameters
SIEM Query:
source="traccar" AND (event="device_create" OR event="device_update") AND uniqueId CONTAINS "/" OR uniqueId CONTAINS ".."