CVE-2026-48745

June 17, 2026, 4:28 p.m.

9.3
Critical

Description

Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an attacker-controlled server. The app registers a custom org.traccar.client://config deep-link scheme that silently writes attacker-supplied parameters (server URL, device ID, accuracy, distance, and interval) into the app's persistent configuration with no confirmation, notification, or visual indication. A single crafted link delivered via SMS, email, a webpage, or any installed app can therefore reconfigure the app the moment the victim taps it, with no special permissions required. As a result, an attacker can covertly redirect all of the victim's GPS telemetry to their own server at maximum precision and frequency, and the change persists across restarts. This gives the attacker continuous, real-time tracking of the victim's location. This issue has been fixed in version 9.7.20.

Product(s) Impacted

Vendor Product Versions
Traccar
  • Traccar Client
  • <9.7.20

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-940
Improper Verification of Source of a Communication Channel
The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a traccar traccar_client <9.7.20 / / / / / / /

References

https://github.com/traccar/traccar-client/commit/23558b0ae390f8480b2233da07410b5aeaafba09
https://github.com/traccar/traccar-client/security/advisories/GHSA-vm6j-6g39-gj97
https://github.com/traccar/traccar-client/security/advisories/GHSA-vm6j-6g39-gj97

Tags

[email protected]
CWE-940
2026-06-17
CVE-2026-48745

CVSS Score

9.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

    View Vector String

Timeline

Published: June 17, 2026, 1:20 p.m.
Last Modified: June 17, 2026, 4:28 p.m.

Status : Deferred

When a CVE is given this status the NVD does not plan analyze or re-analyze this CVE due to resource or other concerns.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.